Ryuk ransomware disrupted Tribune Publishing and Data Resolution around the 2018 holiday period, encrypting networked resources, deleting shadow copies, and interfering with business operations such as newspaper printing and cloud-hosting services. The excerpt describes Ryuk as a selectively deployed secondary payload likely following Emotet and TrickBot activity, with human judgment determining whether a compromised network was valuable enough for ransomware deployment. It notes that Ryuk shares code and string similarities with Hermes, including Hermes markers and whitelisted folder behavior, which led some analysts and journalists to speculate about North Korean involvement because Hermes had been attributed to Lazarus. The body does not prove DPRK attribution for these Ryuk incidents and instead presents the Hermes/Lazarus connection as one theory among other explanations for Ryuk’s role after Emotet and TrickBot compromise.