Play Ransomware Attack Linked To North Korean State-Sponsored Threat Actors
Written by Karolis Liucveikis on
According to a new report by Palo Alto’s Unit 42, North Korean state-sponsored threat actors, tracked by the security firm as Jumpy Pisces but also tracked as Andariel, have been linked to the Play ransomware gang.
Researchers believe this is the first instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group. This also possibly signals deeper involvement in the broader ransomware threat landscape.
The discovery was made in September 2024, when Unit 42 responded to a cyber incident where a client suffered a Play ransomware infection. During the investigation, it was discovered that Jumpy Pisces had gained initial access via a compromised user account in May 2024.
Jumpy Pisces carried out lateral movement and maintained persistence by spreading the open-source tool Sliver to targeted machines. Further, their unique custom malware, DTrack, was also distributed to targeted machines via the Server Message Block (SMB) protocol.
Both pieces of malware were discovered communicating with command-and-control servers until September, when the Play infection kicked off. This was particularly interesting to researchers as the threat actors behind Play have operated as a closed group rather than a Ransomware-as-a-Service (RaaS) that relies on affiliates and initial access brokers to infect victims.
The ransomware group, tracked as Fiddling Scorpius by Unit 42, has been active since the middle of 2022. The group gained a level of notoriety in August 2022 after targeting Argentina’s Judiciary of Córdoba.
They leverage the double extortion tactic against victims and have previously leaked financial and personal details, intellectual property, and other sensitive data. Ransom demands have been as high as 500 bitcoins, with the now customary promise of releasing a decryption tool upon payment.
There have been recent suggestions that the Play group has moved to a RaaS model. However, they announced on their data leak site that it does not provide a RaaS ecosystem. Seeing that, in early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces.
The threat actor carried out pre-ransomware activities, including credential harvesting, privilege escalation, and the uninstallation of EDR sensors. This was all done in preparation for the deployment of Play ransomware on the compromised network. This begs the question of the exact level of collaboration between Jumpy Pisces and Fiddling Scorpius.
Jumpy Pisces as Initial Access Broker
Unit 42 researchers asserted that both threat actors experience a high level of collaboration based on three factors. Those being:
- The compromised account that attackers used for initial access and subsequent spreading of the Jumpy Pisces-linked toolset (e.g., Sliver and DTrack) was the same one used prior to ransomware deployment. The ransomware actor leveraged the account to abuse Windows access tokens, move laterally, and escalate to SYSTEM privileges via PsExec. This eventually led to the mass uninstallation of EDR sensors and the onset of Play ransomware activity.
- As highlighted previously, we observed Sliver C2 communication until the day before ransomware deployment. Furthermore, our research also suggests that the C2 IP address 172.96.137[.]224 has been offline since the day attackers deployed Play ransomware in this incident.
- Adlumin’s report on Play ransomware suggests various commonalities in TTPs across multiple attacks they’ve tracked. One such TTP was the presence of its tools in the folder C:\Users\Public\Music. We observed some tools used before ransomware deployment (i.e., TokenPlayer for Windows access token abuse, and PsExec) both located in C:\Users\Public\Music.
Researchers stated that, at this stage, it is impossible to determine if Jumpy Pisces is now a Play affiliate or simply an initial access broker. As Play, at least according to its developers, does not provide a RaaS, it is safer to assume that the North Korean state-sponsored threat actor acted as an initial access broker. This may prove false in the future if Play becomes a RaaS platform.
Unit 42 concluded,
Either way, this incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network. This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally.
In this regard, it is important to remember that North Korean state-sponsored groups, including the infamous Lazarus group, are not just tasked with cyber espionage and warfare operations. As the hermit state is heavily sanctioned and has nuclear ambitions that need vast funding, these state-sponsored groups are also tasked with committing financial crimes.
From bank fraud to cryptocurrency heists, North Korea has found multiple illicit ways to generate the funding it needs. This includes participation in the broader ransomware landscape.
▼ Show Discussion