North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

Recent activities attributed to North Korean threat actors have highlighted their collaboration with the Play ransomware group, marking a significant development in cybercrime dynamics. Between May and September 2024, a group known as Jumpy Pisces—a name encompassing various aliases such as Andariel and DarkSeoul—was linked to the deployment of Play ransomware. This collaboration represents the first recorded engagement between a North Korean state-sponsored actor and an underground ransomware entity.

Palo Alto Networks’ Unit 42 has attributed these activities to Jumpy Pisces, which has been active since at least 2009 and is affiliated with North Korea’s Reconnaissance General Bureau (RGB). Previously, Andariel was observed employing ransomware variants like SHATTEREDGLASS and Maui for financially motivated attacks. Notably, in August 2024, Symantec reported attempts by the same threat group to target U.S. organizations, although no ransomware was utilized on those occasions.

The Play ransomware variant, also referred to as Balloonfly and Fiddling Scorpius, has reportedly affected around 300 organizations by October 2023. Cybersecurity firm Adlumin suggested that Play may have shifted to a ransomware-as-a-service (RaaS) model; however, the group subsequently denied this claim through their dark web presence.

During the incident under investigation, Andariel reportedly gained initial network access via a compromised user account in May 2024, followed by conducting lateral movement and maintaining persistence through the Sliver command-and-control (C2) framework alongside a custom backdoor named Dtrack. The communication with the Sliver C2 server remained active until just before the deployment of Play ransomware.

Crucial pre-ransomware activities included credential harvesting, privilege escalation, and elimination of endpoint detection and response tools. Additionally, a trojanized binary capable of extracting sensitive data from browsers such as Chrome and Edge was used during the operation.

Both Andariel and Play appeared to utilize the same compromised accounts, and their operations were intertwined through ongoing communication with the Sliver C2 infrastructure. The IP address correlated with these activities has been linked to various functions, including SSH services and a web service for tool distribution, although the specifics of its utilization in this case remain unverified.

Despite the apparent cooperation, the nature of the relationship between Jumpy Pisces and Play ransomware remains ambiguous. It is not clear if Jumpy Pisces has fully joined the Play ransomware ecosystem or if they operate as an initial access broker, potentially selling access to afflicted networks for financial gain.

This incident indicates a trend where North Korean actors might pursue broader ransomware strategies in response to sanctions and economic pressures, hinting at a more sophisticated and interconnected approach to cybercrime. The clarity regarding their operational collaborations could evolve, revealing new dimensions of threat actor alliances that merit ongoing scrutiny from cybersecurity experts.