North Korean Group Partners with Play Ransomware in Major Cyber Attack

Published:

North Korean Threat Actors Collaborate with Play Ransomware: A New Era of Cybercrime

In a significant development in the world of cybersecurity, North Korean threat actors have been implicated in a recent incident involving the deployment of the Play ransomware family. This collaboration highlights the evolving landscape of cybercrime, where state-sponsored groups are increasingly aligning with underground ransomware networks for financial gain. The activity, observed between May and September 2024, has been attributed to a group known as Jumpy Pisces, also referred to by various aliases including Andariel, APT45, and DarkSeoul.

The Emergence of Jumpy Pisces

Jumpy Pisces has been active since at least 2009 and is affiliated with North Korea’s Reconnaissance General Bureau (RGB). This state-sponsored group has a history of deploying various ransomware strains, including SHATTEREDGLASS and Maui. The recent report from Palo Alto Networks’ Unit 42 indicates that Jumpy Pisces is now collaborating with the Play ransomware group, marking a notable shift in their operational tactics.

This incident is particularly significant as it represents the first recorded collaboration between a North Korean state-sponsored group and an underground ransomware network. The implications of this partnership could be far-reaching, as it suggests a growing trend of state-sponsored actors leveraging the capabilities of criminal organizations to enhance their financial motivations.

The Play Ransomware Family

Play ransomware, also known by other names such as Balloonfly and Fiddling Scorpius, has reportedly impacted around 300 organizations as of October 2023. Initially thought to have transitioned to a ransomware-as-a-service (RaaS) model, the operators behind Play have since clarified that this is not the case. Instead, they appear to be operating independently while still maintaining connections with other threat actors.

The incident investigated by Unit 42 revealed that Andariel gained initial access to the target network through a compromised user account in May 2024. This was followed by lateral movement and persistence activities using the Sliver command-and-control (C2) framework and a bespoke backdoor known as Dtrack.

The Attack Sequence

The attack sequence began with the infiltration of the network using a compromised user account. Following this, the attackers engaged in credential harvesting, privilege escalation, and the uninstallation of endpoint detection and response (EDR) sensors—activities that are characteristic of pre-ransomware operations. The attackers also utilized a trojanized binary capable of harvesting sensitive information such as web browser history, auto-fill data, and credit card details from popular browsers like Google Chrome and Microsoft Edge.

Unit 42 noted that communication with the Sliver C2 server continued until just before the deployment of the Play ransomware, indicating a coordinated effort between the two groups. The C2 IP address associated with this communication went offline on the day the ransomware was deployed, further complicating the investigation.

Unraveling the Collaboration

While it remains unclear whether Jumpy Pisces has officially become an affiliate of the Play ransomware group or if they acted as an initial access broker (IAB) by selling network access to Play actors, the evidence suggests a strong connection between the two. The ongoing communication with the Sliver C2 server until the day of the ransomware deployment raises questions about the nature of their collaboration.

As cybersecurity experts continue to analyze this incident, it is evident that the landscape of cyber threats is evolving. The collaboration between state-sponsored groups and underground ransomware networks could lead to more sophisticated and financially motivated attacks in the future.

Conclusion

The recent collaboration between North Korean threat actors and the Play ransomware group underscores the increasing complexity of cyber threats. As state-sponsored groups like Jumpy Pisces seek to enhance their financial capabilities through partnerships with criminal organizations, the potential for widespread disruption grows. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by these evolving threats.

For those interested in staying updated on the latest in cybersecurity, follow us on Twitter and LinkedIn for exclusive content and insights.

Related articles

Recent articles