North Korean risk actors have allegedly been linked to a recent incident involving the notorious Play ransomware family, highlighting their financial motives.
The exercise, occurring between Could and September 2024, has been linked to a malicious actor known as Andariel, also referred to by various handles including APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly.
Palo Alto Networks’ threat hunting unit, Unit 42, releases a latest report indicating a moderate level of confidence that Jumpy Pisces or a subset of the group may be currently collaborating with the notorious Play ransomware gang.
“This landmark event holds significance due to its unprecedented partnership between Jumpy Pisces, a North Korea-backed entity, and an anonymous ransomware collective.”
As a purported operative of North Korea’s Reconnaissance General Bureau since at least 2009, Andariel’s connections to the secretive organization remain undeniable. Two distinct ransomware variants have previously been observed.
In recent weeks, Symantec, a subsidiary of Broadcom, identified three distinct entities operating within the United States. In August 2024, the company’s systems were targeted by a state-sponsored hacking group in what is believed to have been a financially motivated attack, despite the absence of any ransomware deployment on its networks.
As of October 2023, Play is estimated to have had a profound impact on approximately 300 organizations. The astronomical term ‘Scorpius’ is often referred to by its colloquial names: Balloonfly, Fiddling Scorpius, and PlayCrypt.
While Adlumin revealed in December that the operation may have evolved into a ransomware-as-a-service model, the threat actors behind Play have subsequently clarified on their darknet data leak website that this is not the case.
During its investigation, Unit 42 discovered that Andariel initially breached the network through a compromised person account in May 2024, followed by lateral movement and persistence tactics utilizing a command-and-control (C2) framework and a custom-built backdoor referred to as “Valefor” and “Preft”.
“The distant instruments maintained communication with their command-and-control (C2) server until early September,” Unit 42 noted. The deployment of Play ransomware ultimately resulted from this progression.
Prior to the deployment of the Play ransomware, an unknown threat actor exploited a compromised user account within the community, subsequently engaging in tactics such as credential harvesting, privilege escalation, and disabling endpoint detection and response sensors – telltale signs of pre-ransomware activity?
The malware’s arsenal included a Trojanized binary capable of exfiltrating sensitive data, including internet browsing history, autofilled information, and credit card details from Google Chrome, Microsoft Edge, and Brave.
According to records compiled by both Andariel and Play-Asia’s compromised systems, a link exists between the two intrusion vectors rooted in persistent communication with the Sliver C2 server (172.96.137.224) up until the day preceding the ransomware deployment. The C2 IP handle experienced an outage from the moment of its initial deployment.
Whether Jumpy Pisces has been formally affiliated with Play ransomware or served as an initial access broker, promoting community access to Play ransomware actors for unknown perpetrators, remains unclear according to Unit 42’s conclusion. “If Play ransomware hadn’t established a RaaS ecosystem, it’s possible that Jumpy Pisces would merely have functioned as an IAB.”
