Maybe "be tied to" means "have been purchased from" And you know, faking IP addresses is easy. I could be posting from a North Korean IPv4, if I wanted to
Seriously, don't these guys run any anti-ransomware tools? I do understand that this Ryuk ransomware was probably installed manually (not via exploit) by the attackers, but security software still would have stopped it, I guess.