The Ryuk ransomware is most likely the creation of Russian financially-motivated cyber-criminals, and not North Korean state-sponsored hackers, according to reports published this week by four cyber-security firms --Crowdstrike, FireEye, Kryptos Logic, and McAfee.
These companies published these reports this week after several news outlets incorrectly attributed a Ryuk ransomware infection at a major US news media group that took place over the Christmas holiday on North Korean hackers
However, evidence suggests that the ransomware was created by a criminal group that Crowdstrike calls Grim Spider, who appears to have bought a version of the Hermes ransomware from a hacking forum, and modified it to their own requirements into what now is known as the Ryuk ransomware.
The confusion comes from the fact that North Korean state hackers deployed a version of the Hermes ransomware on the network of the Far Eastern International Bank (FEIB) in Taiwan after carrying out a hack in October 2017.
Researchers believe North Korean hackers bought the same Hermes ransomware kit from hacking forums, like the Grim Spider group, and deployed it on the bank's network as a distraction and to cover the tracks of their cyber-heist, and that there is no connection between the Pyongyang regime's hackers and the Ryuk ransomware strain.