Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group, marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existing ransomware infrastructure, potentially acting as an initial access broker or an affiliate. The attack timeline spans from May to September 2024, involving initial access through a compromised user account, lateral movement, and persistence using tools like Sliver and DTrack. The incident culminated in the deployment of Play ransomware in early September. This collaboration signals deeper involvement of North Korean threat actors in the broader ransomware landscape, potentially leading to more widespread and damaging attacks globally. Author: AlienVault
Related Tags:
fiddling scorpius
korean people’s army
initial access broker
dtrack
reconnaissance general bureau
Dtrack – S0567
T1550.002
T1078.003
T1021.004
Associated Indicators:
F64DAB23C50E3D131ABCC1BDBB35CE9D68A34920DD77677730568C24A84411C5
99E2EBF8CEC6A0CEA57E591AC1CA56DD5D505C2C3FC8F4C3DA8FB8AD49F1527E
B4F5D37732272F18206242CCD00F6CAD9FBFC12FAE9173BB69F53FFFEBA5553F
B1AC26DAC205973CD1288A38265835EDA9B9FF2EDC6BD7C6CB9DEE4891C9B449
6E95D94D5D8ED2275559256C5FB5FC6D01DA6B46
6624C7B8FAAC176D1C1CB10B03E7EE58A4853F91
540853BEFFB0BA9B26CF305BCF92FAD82599EB3C
879FA942F9F097B74FD6F7DABCF1745A
76CB5D1E6C2B6895428115705D9AC765