North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack
North Korean cyber crooks have apparently teamed up with the Play ransomware crew, which is definitely not cool. This shady business went down between May and September of 2024, and it's a big deal because it shows these North Korean hackers are really into making some serious dough.
This bunch, who go by a bunch of different names like Jumpy Pisces, Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet, and Stonefly, have been playing in the cyber-crime sandbox for ages. Palo Alto Networks' Unit 42, a bunch of super-smart cyber-sleuths, said they're pretty sure that either Jumpy Pisces as a whole or maybe just some of its members are now working hand in hand with the Play ransomware gang. This is a first for them, teaming up with an underground ransomware network like this.
The Play ransomware guys are not newbies; they've hit about 300 organizations by October 2023. They go by a bunch of aliases too, like Balloonfly, Fiddling Scorpius, and PlayCrypt. Some folks thought they were going the "ransomware-as-a-service" route, but they said "nuh-uh" on their secret internet hangout.
So, here's what Unit 42 figured out: Andariel snuck in through a hacked user account in May 2024. They set up camp with some fancy tools called Sliver and Dtrack, which let them control things from afar. For a while, they were all about getting their hands on login details and taking over the network, which is what bad guys do before they start locking everything down with ransomware. They even had a sneaky little program that stole browser info, like your password manager's secrets and credit card numbers.
What's interesting is, the IP address (172.96.137[.]224) they were using to control their naughty tools got the boot right before they launched the ransomware. It's not totally clear if Jumpy Pisces is now a full-fledged member of Team Play or if they just sold them the keys to the digital kingdom, but either way, they're working together.
This whole situation is a signal that North Korean hackers might start playing the ransomware game more often to get around those pesky sanctions and fill their coffers. Watch out, internet!