North Korean Threat Actors Collaborate with Play Ransomware: A New Era of Cybercrime

In a significant development in the world of cybersecurity, threat actors linked to North Korea have been implicated in a recent incident involving the deployment of the Play ransomware family. This collaboration, observed between May and September 2024, highlights the evolving tactics of cybercriminals and their increasing financial motivations. The group behind this activity, tracked as Jumpy Pisces, has a long history of cyber operations and is known by various aliases, including Andariel, APT45, and DarkSeoul.

The Emergence of Jumpy Pisces

Jumpy Pisces has been active since at least 2009 and is affiliated with North Korea’s Reconnaissance General Bureau (RGB). This state-sponsored group has previously deployed other ransomware strains, such as SHATTEREDGLASS and Maui. The recent report from Palo Alto Networks’ Unit 42 indicates that Jumpy Pisces is now collaborating with the Play ransomware group, marking a notable first in the realm of cybercrime. This partnership underscores the increasing sophistication and financial motivations of state-sponsored actors.

The Play Ransomware Family

Play ransomware, also known by other names such as Balloonfly and Fiddling Scorpius, has made headlines for its impact on approximately 300 organizations as of October 2023. Initially thought to have transitioned to a ransomware-as-a-service (RaaS) model, the Play group has since denied these claims, asserting that they operate independently. This ransomware is notorious for its ability to infiltrate networks and encrypt sensitive data, demanding hefty ransoms for decryption keys.

The Attack Timeline

The incident investigated by Unit 42 began with Jumpy Pisces gaining initial access to a target network through a compromised user account in May 2024. Following this breach, the group engaged in lateral movement and persistence activities, utilizing the Sliver command-and-control (C2) framework and a bespoke backdoor known as Dtrack. These tools allowed them to maintain communication with their C2 server until early September, ultimately leading to the deployment of Play ransomware.

The deployment process was preceded by a series of pre-ransomware activities, including credential harvesting, privilege escalation, and the uninstallation of endpoint detection and response (EDR) sensors. These actions are characteristic of a well-planned ransomware attack, aimed at maximizing the chances of success while minimizing the risk of detection.

The Role of Compromised Accounts

A critical aspect of this incident is the use of a compromised user account by both Jumpy Pisces and the Play ransomware group. This account facilitated the infiltration of the network and allowed for the execution of various malicious activities. The ongoing communication with the Sliver C2 server, which became inactive on the day of the ransomware deployment, raises questions about the extent of collaboration between these two entities.

Uncertainty Surrounding Collaboration

While the report from Unit 42 suggests a collaboration between Jumpy Pisces and Play, it remains unclear whether Jumpy Pisces has officially become an affiliate of the Play ransomware group or if they acted merely as an initial access broker (IAB). If Play ransomware does not operate as a RaaS ecosystem, Jumpy Pisces may have only provided network access to Play actors, further complicating the landscape of cybercrime.

Conclusion

The collaboration between North Korean threat actors and the Play ransomware group marks a significant evolution in the tactics employed by state-sponsored cybercriminals. As these groups continue to adapt and innovate, the cybersecurity landscape becomes increasingly complex and challenging to navigate. Organizations must remain vigilant and proactive in their cybersecurity measures to defend against these sophisticated threats.

In an era where cybercrime is becoming more organized and financially motivated, understanding the dynamics of these collaborations is crucial for developing effective defense strategies. As we move forward, the implications of this partnership will likely resonate throughout the cybersecurity community, prompting a reevaluation of existing security protocols and threat intelligence strategies.

For more insights and updates on cybersecurity, follow us on Twitter and LinkedIn. Stay informed and prepared in the ever-evolving landscape of cyber threats.