Check Point analyzed Ryuk as a targeted ransomware campaign that hit several enterprises worldwide and produced large ransom payments, with infections manually focused on critical systems after prior network mapping and credential collection. The researchers found strong code-level overlap between Ryuk and HERMES ransomware, including similar file-encryption logic, identical encrypted-file marker handling, shared exclusions such as Ahnlab and Microsoft folders, and comparable artifacts including window.bat, PUBLIC, and UNIQUE_ID_DO_NOT_REMOVE. HERMES had previously been used in the Far Eastern International Bank attack commonly attributed to Lazarus, but the report frames Ryuk attribution cautiously as either HERMES operators or another actor possessing HERMES source code. Ryuk’s dropper selected 32- or 64-bit payloads, killed many security, backup, database, and office-related processes and services, established Run-key persistence, and attempted process injection before encrypting files.