The North Korean cyber group, Jumpy Pisces, recently collaborated with the Play ransomware network in an attacks. The link up is the first recorded instance of North Korean state-backed hackers using an existing ransomware infrastructure, a development with implications for global cybersecurity.
Espionage and Financial Crimes
Traditionally known for espionage and cybercrime, Jumpy Pisces is tied to North Korea’s Reconnaissance General Bureau, an intelligence agency linked to past cyberattacks on both government and corporate entities. The group, also known as Andariel or Onyx Sleet, has previously focused on custom malware development. Recent investigations suggest a change in approach. Jumpy Pisces has now aligned with Play ransomware, also called Fiddling Scorpius, moving past proprietary malware to collaborate within the ransomware space. This development is unique for a group that has previously executed custom-developed ransomware, like the Maui strain, on behalf of the North Korean government. Unit 42, the cybersecurity division of Palo Alto Networks, identified this change in tactics during an investigation for a client impacted by Play ransomware in September 2024. While it remains unclear whether Jumpy Pisces officially joined Play or simply acted as an Initial Access Broker (IAB) by facilitating network access, this alliance shows an unexpected level of cooperation between a North Korean state-sponsored threat and a financially motivated ransomware network.
How Jumpy Pisces Enabled Play Ransomware Deployment
The Unit 42 investigation revealed a timeline of events from initial network access in May 2024 to the eventual deployment of Play ransomware in September. Attackers first gained entry through a compromised user account, allowing Jumpy Pisces to establish persistence by deploying DTrack malware and the open-source tool Sliver. DTrack, a custom infostealer, compresses stolen data and disguises it as a harmless GIF file to bypass detection. Sliver, often used as a command-and-control (C2) tool in penetration tests, was then used to monitor network activity. Throughout this period, Jumpy Pisces moved across the network using SMB (Server Message Block) protocol to propagate malicious files and maintain access. By early September, another unknown actor, likely Play ransomware, entered the network through the same compromised account. After gaining credentials and disabling endpoint detection and response (EDR) systems, they deployed Play ransomware, marking the incident as a crossover between espionage-oriented and financially driven actors.
Tools and Tactics Used in the Attack
During their investigation, Unit 42 noted several tools and techniques that Jumpy Pisces employed to maintain access and enable the Play ransomware deployment. In addition to DTrack and Sliver, the attackers used credential-dumping tools, including a customized version of Mimikatz, known for harvesting usernames and passwords stored in system memory. They also deployed a trojan designed to steal autofill data, credit card details, and browser history from Chrome, Edge, and Brave browsers, which was saved in the system’s temporary directory. Both Jumpy Pisces and Play ransomware actors relied on the compromised account’s Windows access tokens, a technique that enabled them to bypass authentication measures. This account was also used to execute PsExec commands for escalating to SYSTEM-level privileges, which allowed the attackers to uninstall EDR software across the network. Unit 42 stated that the Sliver C2 server remained active until the day Play ransomware was executed, suggesting coordinated timing between Jumpy Pisces and Play ransomware operators.
Unit 42 cautions that this alliance could pave the way for more ransomware campaigns led by state-backed actors, expanding the types of targets vulnerable to these attacks. Play ransomware has already impacted hundreds of organizations globally since its emergence in 2022.
Image credits: Grispb, AdobeStock.com
