In a recent development, one of North Korea’s renowned state-sponsored threat groups has shifted its focus to utilizing Play ransomware in its attacks, marking the first instance of collaboration with an underground ransomware network. This move has raised concerns among researchers as it paves the way for potentially high-impact cyber attacks in the future.
Andariel, previously associated with a ransomware strain called “Maui”, has now been identified by Palo Alto Networks’ Unit 42 as partnering with the Play ransomware gang. However, the exact nature of this collaboration – whether Andariel is acting as an initial access broker (IAB) or as an affiliate of the ransomware group – remains unclear. The researchers observed that Andariel is responsible for a recent Play ransomware attack where the attackers gained initial access to the network through a compromised user account several months prior to deploying the ransomware payload in September.
The involvement of Andariel in Play ransomware attacks indicates a significant shift in tactics and procedures, signaling deeper engagement in the ransomware threat landscape. This development could potentially lead to a trend where North Korean threat groups increasingly participate in broader ransomware campaigns, resulting in more widespread and damaging attacks on a global scale.
Play ransomware, managed and deployed by a group known as Fiddling Scorpius, gained notoriety after targeting the city of Oakland, California with a crippling attack earlier this year. Some experts speculate that Fiddling Scorpius has transitioned from conducting its own attacks to adopting a ransomware-as-a-service (RaaS) model, although the group has denied this claim on its ransomware leak site. This shift suggests that Andariel likely acted as an IAB in the recent attack rather than as an affiliate.
Several indicators in the attack sequence point to collaboration between Andariel and the Play ransomware group. The compromised account used for initial access and lateral movement in the network was also leveraged for deploying Andariel’s tools before initiating the ransomware attack. Additionally, command-and-control communication with the Silver malware was observed prior to the deployment of Play ransomware, further highlighting the coordination between the two groups.
Andariel, under the control of North Korea’s Reconnaissance General Bureau, has a history of targeting critical sectors such as defense, aerospace, nuclear, and engineering companies, as well as managed service providers worldwide. The group’s malicious activities have attracted the attention of international law enforcement agencies, including the US National Security Agency (NSA), which views Andariel as an ongoing threat to various industry sectors in countries like the US, South Korea, Japan, and India. The US Department of State’s Rewards for Justice program has even offered a reward of up to $10 million for information leading to the apprehension of key figures within Andariel.
In response to the escalating threat posed by North Korean ransomware groups, Unit 42 has provided a list of indicators of compromise (IoCs) in its report. The researchers recommend that organizations enhance their defenses by leveraging the latest threat intelligence, employing advanced URL filtering, and implementing robust DNS security solutions to detect and mitigate malicious activity associated with Andariel and Play ransomware. This proactive approach is crucial in safeguarding against the growing menace of state-sponsored ransomware attacks on a global scale.