October 30, 2024 at 12:00PM
North Korean threat actor Jumpy Pisces, linked to various aliases, has collaborated with the Play ransomware group, marking a significant first. This incident involved compromised accounts, credential harvesting, and deployment of Play ransomware. The connection remains unclear—Jumpy Pisces may be an affiliate or merely an initial access broker.
### Meeting Takeaways: Ransomware / Threat Intelligence Update
**Date:** October 30, 2024
**Prepared by:** Ravie Lakshmanan
1. **Recent Ransomware Incident**
– North Korean threat actor, Jumpy Pisces (also known as Andariel and others), is implicated in a ransomware attack using the Play ransomware family.
– This marks a notable collaboration between Jumpy Pisces (state-sponsored) and an underground ransomware group.
2. **Timeline of Activities**
– The activities linked to Jumpy Pisces occurred between May and September 2024.
– Initial access was achieved via a compromised user account in May 2024, leading to lateral movement and preparation for ransomware deployment.
3. **Target Organizations**
– In August 2024, three U.S. organizations were targeted without ransomware deployment, indicating potential financial motivations behind the attacks.
4. **Play Ransomware Characteristics**
– Play ransomware is associated with the attack on approximately 300 organizations as of October 2023.
– Previously, there were claims of a transition to a ransomware-as-a-service (RaaS) model, which have since been denied by the Play threat actors.
5. **Attack Methodology**
– Activities included credential harvesting, privilege escalation, and the removal of endpoint detection and response (EDR) tools before the ransomware deployment.
– A trojanized binary was also employed to harvest sensitive information like web browser history and credit card details.
6. **Future Implications**
– Uncertainty remains regarding whether Jumpy Pisces has become an affiliate of the Play ransomware group or if they acted as an Initial Access Broker (IAB), potentially selling network access.
– The connection between Jumpy Pisces and Play ransomware emphasizes the evolving landscape of cyber threats and financial motivations in ransomware operations.
**Recommendation:** Stay updated on ransomware trends and the tactics employed by state-sponsored groups for comprehensive cybersecurity measures.
**Follow-Up Actions:**
– Monitor developments related to Jumpy Pisces and Play ransomware activities.
– Consider enhancing security protocols in response to the identified vulnerabilities.
**Engagement:** If interested in more insights, follow us on **Twitter** and **LinkedIn** for exclusive content.