Play Ransomware Engagement

Oct. 30, 2024, 10:33 p.m.

Description

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group, marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existing ransomware infrastructure, potentially acting as an initial access broker or an affiliate. The attack timeline spans from May to September 2024, involving initial access through a compromised user account, lateral movement, and persistence using tools like Sliver and DTrack. The incident culminated in the deployment of Play ransomware in early September. This collaboration signals deeper involvement of North Korean threat actors in the broader ransomware landscape, potentially leading to more widespread and damaging attacks globally.

Date

Published: Oct. 30, 2024, 4:32 p.m.

Created: Oct. 30, 2024, 4:32 p.m.

Modified: Oct. 30, 2024, 10:33 p.m.

Attack Patterns

Dtrack - S0567

Mimikatz

Sliver

Jumpy Pisces

T1021.002

T1550.002

T1021.004

T1078.002

T1021.001

T1078.003

T1136

T1059.003

T1555

T1562.001

T1486

T1082

T1083

T1570

T1078

T1068

T1003