Jumpy Pisces

Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation between Jumpy Pisces and a ransomware network, specifically Play Ransomware. The extent of this partnership remains unclear; it is unknown whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted independently as an Initial Access Broker (IAB) selling network access to Play ransomware actors. If Play ransomware does not provide a Ransomware-as-a-Service (RaaS) ecosystem as claimed, it is likely that Jumpy Pisces functioned solely as an IAB. The intrusion event began in May 2024 when Jumpy Pisces gained initial access through a compromised user account. Subsequently, the same account was used to spread the Jumpy Pisces-linked toolset, including Sliver and DTrack, prior to the deployment of ransomware. Lateral movement and persistence were maintained by spreading these tools to other hosts via Server Message Block (SMB) protocol. The IP address and corresponding domain associated with this activity have both been linked to Jumpy Pisces, further solidifying their involvement in the incident. Our assessment, based on the evidence gathered, suggests with moderate confidence a degree of collaboration between Jumpy Pisces and Play Ransomware. This conclusion is drawn from the shared use of the compromised account, the distribution of Jumpy Pisces' unique malware, and the connection of known malicious IP addresses and domains to the group. This incident underscores the evolving threat posed by state-sponsored cyber groups and their potential alliances with criminal ransomware networks, necessitating vigilance and robust security measures.