New research now claims that the cybercriminals behind the Ryuk ransomware thefts of some 705.08 Bitcoin (BTC) ($2.5 million) since August last year are likely from Russia – not North Korea as previously believed.

The Next Web’s crypto-focused news site Hard Fork cites findings from cybersecurity firms McAfee Labs and Crowdstrike to support the new theory. In examining the usage of Ryuk ransomware, McAfee and Crowdstrike noted that while Ryuk and Hermes 2.1 bear similarities in coding, it is likely Ryuk is a modified strain of the latter.

Hermes is ransomware commonly thought to be used by North Korea, but supposedly does not support Russian or other Eastern European languages. The malware kit for Hermes 2.1 is sold underground, and therefore could have been adapted into Ryuk.

The cybersecurity firms also believe the group using Ryuk is possibly GRIM SPIDER – a Russia-based cybercriminal cell. Ryuk is originally the name of the supernatural creature from the Japanese manga Death Note, which carries out written orders to kill people.

Ryuk’s campaign has attracted major attention recently from targeting Tribune Publishing, a major US media group.