Play Ransomware Engagement

Tags

External References

• https://unit42.paloaltonetworks.com/
• https://unit42.paloaltonetworks.com/
• https://otx.alienvault.com/

Description

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group, marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existing ransomware infrastructure, potentially acting as an initial access broker or an affiliate. The attack timeline spans from May to September 2024, involving initial access through a compromised user account, lateral movement, and persistence using tools like Sliver and DTrack. The incident culminated in the deployment of Play ransomware in early September. This collaboration signals deeper involvement of North Korean threat actors in the broader ransomware landscape, potentially leading to more widespread and damaging attacks globally.

Date