North Korean Group Joins Forces with Play Ransomware in Major Cyber Attack
North Korean threat actors have recently deployed the known ransomware family called Play, highlighting their financial motivations.
Between May and September 2024, activity linked to a threat actor known as Jumpy Pisces, also referred to as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly, was observed.
"We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group," stated Palo Alto Networks Unit 42 in a newly published report. This incident is significant as it marks the first recorded collaboration between the North Korean state-sponsored group Jumpy Pisces and an underground ransomware network.
Andariel, active since at least 2009 and affiliated with North Korea's Reconnaissance General Bureau (RGB), has previously deployed other ransomware strains such as SHATTEREDGLASS and Maui. Symantec, part of Broadcom, reported that three U.S. organizations were targeted by the state-sponsored hacking crew in August 2024 in a likely financially motivated attack, although no ransomware was deployed.
Play, a ransomware operation known to have impacted around 300 organizations by October 2023, is also referred to as Balloonfly, Fiddling Scorpius, and PlayCrypt. Despite claims of transitioning to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have denied this on their dark web data leak site.
领英推荐
In the incident investigated by Unit 42, Andariel is believed to have gained initial access through a compromised user account in May 2024. They conducted lateral movement and persistence activities using the Sliver command-and-control (C2) framework and a bespoke backdoor called Dtrack (also known as Valefor and Preft). These remote tools communicated with their C2 server until early September, ultimately leading to the deployment of Play ransomware.
The deployment was preceded by an unidentified threat actor infiltrating the network using the same compromised user account, performing credential harvesting, privilege escalation, and uninstalling endpoint detection and response (EDR) sensors, all typical pre-ransomware activities.
For Further reference