According to Palo Alto Networks, North Korean threat actors connected to Jumpy Pisces, APT45, and Andariel used Play. It is the first known instance of an underground ransomware network and a North Korean state-sponsored organization working together. The development suggests that North Korea may launch more extensive ransomware attacks in the future to get around sanctions and make money for the financially strapped country.

An unidentified threat actor used the same compromised user account to infiltrate the network prior to the Play ransomware deployment. They were then seen performing credential harvesting, privilege escalation, and uninstalling endpoint detection and response sensors. A trojanized binary that can collect credit card information, auto-fill data, and web browser history for Google Chrome, Microsoft Edge, and Brave was also used in the attack.

Since then, the threat actors responsible for Play have declared on their dark web data leak website that this is untrue. It's unclear if Jumpy Pisces has formally joined the Play ransomware affiliate network. "It remains unclear whether they acted as an IAB [initial access broker] by selling network access to Play ransomware actors," Unit 42 concluded.

"Jumpy, if the Play ransomware doesn't offer a RaaS ecosystem as it says. Pisces may have only served as an IAB, the statement continued. "Jumpy Pisces may not be an affiliate of Play ransomware but a broker of initial access to the Play ransomware," the statement stated.

"Play might not offer an ecosystem. as it stated, and Jumpy might not have acted as a broker for Play. If Play does not offer a RaaS ecosystem, it might not be able to offer a RaaA ecosystem," stated Unit

42.

"Jumpy" might be Play's first access broker.