Play ransomware, first detected in mid-2022, is linked to a threat group identified as “Fiddling Scorpius,” which is suspected to manage both the development and execution of attacks using the ransomware. Contrary to speculation that Fiddling Scorpius may have adopted a ransomware-as-a-service (RaaS) model, the group asserted on its Play ransomware leak site that it operates independently, without providing RaaS services.
In September 2024, Unit 42 responded to a Play ransomware incident impacting one of their clients. Through Unit 42’s investigation, it was confirmed with high confidence that Jumpy Pisces, a North Korean state-sponsored threat group, gained initial access to the network in May 2024 via a compromised user account. This entry point enabled Jumpy Pisces to perform lateral movement and establish persistence, employing the open-source tool Sliver and their custom malware, DTrack. Both tools were distributed to multiple hosts through the Server Message Block (SMB) protocol, maintaining communication with their command-and-control (C2) servers up until the ransomware deployment in early September.
Analysis of Potential Collaboration
Based on Unit 42’s observations, moderate confidence is placed in the likelihood of collaboration between Jumpy Pisces and Play ransomware. The compromised account initially accessed by Jumpy Pisces was later leveraged for Windows access token abuse and SYSTEM privilege escalation through PsExec, ultimately leading to the uninstallation of EDR sensors and ransomware deployment. Notably, Sliver C2 communication continued until the day before the ransomware attack, and the associated IP address went offline immediately after the ransomware deployment, supporting a potential link.
While it is uncertain if Jumpy Pisces acted as an affiliate or simply as an initial access broker (IAB) selling network access to the ransomware operators, this event highlights a notable collaboration between a state-sponsored North Korean group and an underground ransomware network. This alignment could suggest an emerging trend of North Korean groups joining global ransomware campaigns, potentially leading to broader, more destructive attacks on a global scale.
Full research.
