The attacks typically start by infecting systems with TrickBot malware (typically through methods like spam email) that gains access and, importantly, lets the intruders study their targets to determine the money-making potential. They look for the most critical systems and, as Ars Technica noted, will even pass on launching the Ryuk ransomware if the organization isn't large enough. This scouting will be somewhat familiar if you've seen campaigns like SamSam (the ransomware that hit the city of Atlanta), and it's just as disconcerting.
The operators are patient, too. They'll wait as long as a "full year" to encrypt a victim's data and demand a ransom, FireEye said.
It's not certain just who the perpetrators are, but the two security groups don't believe the users are North Korean despite the name. Instead, CrowdStrike (which nicknamed the attackers Grim Spider) suggests they might be Russian based on internet addresses and the occasional language reference. Either way, it's clear that ransomware is becoming all too profitable and could be a serious problem for larger companies and governments in the near future.