North Korea’s Andariel Pivots to ‘Play’ Ransomware Games

North Korea's Andariel Pivots to 'Play' Ransomware Games

October 31, 2024 at 11:37AM

North Korea’s Andariel group has begun using Play ransomware, marking their first collaboration with an underground ransomware network. This shift indicates a potential increase in high-impact attacks. Researchers recommend heightened vigilance against future ransomware incidents, as the group remains a significant threat, particularly in sectors vulnerable to cyber attacks.

### Meeting Takeaways:

1. **North Korean Threat Group Activity**: Andariel, a North Korean state-sponsored group, has begun using Play ransomware in collaboration with the Play ransomware network, marking a significant evolution in their attack methods.

2. **Research Findings**:
– Unit 42 from Palo Alto Networks identified Andariel as involved in a recent Play ransomware attack.
– The group previously utilized the Maui ransomware strain but has shifted tactics to join forces with Play ransomware.

3. **Attack Methodology**:
– The initial access to a compromised network was obtained through a user account in May, with subsequent lateral movement achieved using custom malware and open-source tools like Sliver and DTrack.
– The deployment of the Play ransomware occurred several months later.

4. **Ransomware Collaboration**:
– There is speculation on whether Andariel is acting as an IAB or affiliate, though current indications suggest they primarily functioned as an IAB.
– Evidence of collaboration includes the use of a compromised account for both network access and deploying the ransomware.

5. **Increased Cyber Threat Landscape**: This development signals a potential increase in high-impact ransomware attacks globally, emphasizing the need for vigilance among cybersecurity professionals.

6. **Need for Vigilance**:
– The incident illustrates how North Korean threat groups may expand their operations in the ransomware landscape, highlighting the necessity for enhanced cybersecurity measures.
– The attack revealed specific methods, such as abusing Windows access tokens and factors like the mass uninstallation of EDR sensors.

7. **International Response**:
– Andariel’s activities are under scrutiny from international law enforcement agencies, including the NSA, who regard the group as a significant threat.
– The U.S. Department of State offers a reward for information on key figures in the group.

8. **Indicators of Compromise (IoCs)**: Researchers suggest organizations stay updated with IoC lists and apply advanced threat intelligence tools to safeguard networks against Andariel’s malicious activities.

9. **Conclusion**: The meeting underscored the pressing need for businesses and cyber defenders to be alert to the evolving tactics of state-sponsored groups like Andariel, particularly in the context of ransomware threats.

Full Article