After further analysis by multiple researchers, it is believed that the Ryuk malware is actually the work of Russian-based cyber-criminals and not North Korean state-sponsored attackers, as previously thought. This revelation comes after further examination of the Ryuk ransomware following the attack over Christmas on U.S. media outlets. Ryuk is now being attributed to a group out of Russia known as Grim Spider. Another important revelation that came out of this analysis is that Ryuk was created out of a version of the Hermes ransomware which was modified to fulfill Grim Spider’s own needs. It was this utilization of the Hermes ransomware that led to the mis-attribution. Hermes had previously been used by North Korea during their high-profile attack on Far Eastern International Bank in Taiwan in October of 2017. A number of researchers backed up their link to Grim Spider by pointing out that a number of the victims of Ryuk were first infected with TrickBot, which has been tied back to Grim Spider’s parent group, Wizard Spider.
