North Korean hackers linked to Play ransomware attacks
Jumpy Pisces, a North Korean state-sponsored threat actor also known as Onyx Sleet or Andariel, has recently shifted its focus to ransomware attacks, experts warn.
In a recent technical analysis, researchers from Unit 42 said that while Jumpy Pisces had previously focused on cyber espionage and financial crimes, it has recently collaborated with the infamous Play Ransomware group (also known as Fiddling Scorpius).
Play emerged in the summer of 2022 and has since grown into a formidable threat actor – so much so that the FBI warned about this group in December 2023, claiming it had compromised around 300 victims in the first year and a half of its existence. .
Initial Entry Brokers
“Since June 2022, the Play (also known as Playcrypt) ransomware group has affected a wide range of businesses and critical infrastructure in North America, South America and Europe,” the agency said at the time. “As of October 2023, the FBI was aware of approximately 300 affected entities that were allegedly being exploited by the ransomware actors.”
The role Jumpy Pisces plays in this partnership has not yet been definitively determined, but it is very likely that it acts as an Initial Access Broker (IAB), opening the doors of Play operators to various victims.
Unit 42 believes this change is significant as it shows Jumpy Pisces is becoming increasingly involved in ransomware activities and is leveraging existing ransomware infrastructure rather than building its own. That makes the attacks more sophisticated and possibly more widespread.
However, BleepingComputer added that an average ransomware attack involves multiple parties. Most ransomware variants today operate on an ‘as-a-service’ model, meaning that it is not the developers who infect the victims, and the two ultimately split the final profits. Add IAB to the mix and now there are at least three separate threat actors involved in a single attack.
In any case, companies must be extra vigilant, the researchers conclude, warning that this new collaboration could lead to serious ransomware infections.