After further analysis by multiple researchers, it is believed that the Ryuk malware is actually the work of Russian-based cyber-criminals and not North Korean state-sponsored attackers, as previously thought. This revelation comes after further examination of the Ryuk ransomware following the attack over Christmas on U.S. media outlets. Ryuk is now being attributed to a group out of Russia known as Grim Spider. Another important revelation that came out of this analysis is that Ryuk was created out of a version of the Hermes ransomware which was modified to fulfill Grim Spider’s own needs. It was this utilization of the Hermes ransomware that led to the mis-attribution. Hermes had previously been used by North Korea during their high-profile attack on Far Eastern International Bank in Taiwan in October of 2017. A number of researchers backed up their link to Grim Spider by pointing out that a number of the victims of Ryuk were first infected with TrickBot, which has been tied back to Grim Spider’s parent group, Wizard Spider.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in