Play Ransomware Engagement
Oct. 30, 2024, 10:33 p.m.
Tags
Description
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group, marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existing ransomware infrastructure, potentially acting as an initial access broker or an affiliate. The attack timeline spans from May to September 2024, involving initial access through a compromised user account, lateral movement, and persistence using tools like Sliver and DTrack. The incident culminated in the deployment of Play ransomware in early September. This collaboration signals deeper involvement of North Korean threat actors in the broader ransomware landscape, potentially leading to more widespread and damaging attacks globally.
Date
Published: Oct. 30, 2024, 4:32 p.m.
Created: Oct. 30, 2024, 4:32 p.m.
Modified: Oct. 30, 2024, 10:33 p.m.
Attack Patterns
Dtrack - S0567
Mimikatz
Sliver
Jumpy Pisces
T1021.002
T1550.002
T1021.004
T1078.002
T1021.001
T1078.003
T1136
T1059.003
T1555
T1562.001
T1486
T1082
T1083
T1570
T1078
T1068
T1003