Jumpy Pisces Engages in Play Ransomware
Contents
Executive Summary
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).
This change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group. This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.
Jumpy Pisces, also known as Andariel and PLUTONIUM, was historically involved in cyberespionage, financial crime and ransomware attacks. The group was indicted by the U.S Justice Department for deploying custom-developed ransomware, Maui.
We expect their attacks will increasingly …
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).
This change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group. This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.
Jumpy Pisces, also known as Andariel and PLUTONIUM, was historically involved in cyberespionage, financial crime and ransomware attacks. The group was indicted by the U.S Justice Department for deploying custom-developed ransomware, Maui.
We expect their attacks will increasingly …
IoC
879fa942f9f097b74fd6f7dabcf1745a
b1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449
76cb5d1e6c2b6895428115705d9ac765
172.96.137.224
f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
6e95d94d5d8ed2275559256c5fb5fc6d01da6b46
2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a
6624c7b8faac176d1c1cb10b03e7ee58a4853f91
99e2ebf8cec6a0cea57e591ac1ca56dd5d505c2c3fc8f4c3da8fb8ad49f1527e
http://americajobmail.site
b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f
243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7
http://172.96.137.224
b1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449
76cb5d1e6c2b6895428115705d9ac765
172.96.137.224
f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
6e95d94d5d8ed2275559256c5fb5fc6d01da6b46
2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a
6624c7b8faac176d1c1cb10b03e7ee58a4853f91
99e2ebf8cec6a0cea57e591ac1ca56dd5d505c2c3fc8f4c3da8fb8ad49f1527e
http://americajobmail.site
b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f
243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7
http://172.96.137.224