North Korean Hackers Partner with Play Ransomware in Major Cyber Attack

Researchers have identified North Korean-affiliated threat actors collaborating with the Play ransomware group in a recent cyber attack. This development suggests an evolving strategy where North Korean hackers leverage ransomware operations to achieve financially motivated goals.

The activity, tracked from May to September 2024, is attributed to the North Korean group Jumpy Pisces, also known by aliases including Andariel, APT45, and DarkSeoul. This marks the first recorded collaboration between a North Korean state-sponsored group and an underground ransomware network.

Jumpy Pisces, active since at least 2009 and linked to North Korea’s Reconnaissance General Bureau, has previously used ransomware strains like SHATTEREDGLASS and Maui.

In this latest attack, however, they appear to have aligned with the Play ransomware group, which has impacted around 300 organizations globally under various monikers, such as Balloonfly and PlayCrypt. Reports indicate that the Play group, previously rumored to operate as a ransomware-as-a-service (RaaS) model, denies this classification on their dark web platform.

In the incident analyzed, Jumpy Pisces gained access to the target network in May 2024 through a compromised user account. They then established persistence and moved laterally, utilizing the Sliver command-and-control (C2) framework and a custom backdoor known as Dtrack.

The compromised C2 server continued communicating with the attackers’ network until early September, ultimately facilitating the deployment of the Play ransomware. This deployment was executed following credential harvesting, privilege escalation, and deactivation of security tools—classic steps taken in ransomware attacks.

The attackers also deployed a trojanized binary capable of stealing web browser data, including browsing history, auto-fill information, and stored credit card details from browsers like Chrome, Edge, and Brave.

The shared use of the compromised account and C2 infrastructure highlights a potential alliance or operational overlap between Jumpy Pisces and Play ransomware actors. Communication with the compromised C2 IP address persisted until the day before the ransomware was activated, after which the C2 address went offline.

Researchers note that this collaboration signals a troubling escalation in North Korean cyber activities, as ransomware may offer a lucrative revenue stream amidst international sanctions. While it’s unclear whether Jumpy Pisces officially partnered with Play ransomware or simply acted as an initial access broker, the incident points to the possibility of future large-scale ransomware campaigns involving North Korean actors.

To counter such sophisticated ransomware campaigns, organizations should implement robust multi-factor authentication, monitor user accounts for suspicious activity, and deploy network segmentation to limit lateral movement. Employing advanced threat detection tools and regular patching can further reduce exposure.