Jumpy

Jumpy Pisces, a North Korean state-sponsored group, has been linked to a significant cybersecurity incident involving the Play ransomware group, also known as Fiddling Scorpius. This marks the first recorded collaboration between these two entities, raising concerns about an evolving threat landscape. The assessment of this collaboration was based on several key factors, including the use of the same compromised account for initial access and subsequent spreading of Jumpy Pisces-linked toolset (such as Sliver and DTrack) prior to the ransomware deployment. The files used in this attack impersonated ones created by legitimate entities, enabled by certificates previously linked to Jumpy Pisces. The intrusion led to the deployment of Play ransomware, but it remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted independently by selling network access to Play ransomware actors. If Play ransomware does not provide a Ransomware-as-a-Service (RaaS) ecosystem as it claims, Jumpy Pisces might only have acted as an independent access broker (IAB). Despite these uncertainties, there is moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group. In early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces. The group carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol. Both the IP address and the corresponding domain involved in the attack have been linked to Jumpy Pisces, further solidifying the connection between the group and this incident.