North Korean Group ‘Key Player’ in Recent Ransomware Attack

Researchers have unearthed new evidence in a recent cyberattack showing that Andariel, a North Korean state-sponsored group, is likely collaborating with the Play ransomware group in some capacity.

Key Details: 

• Researchers with Palo Alto Networks’ Unit 42 team responded to a Play ransomware incident in early September 

• They found “with high confidence” that Andariel was the threat actor that had gained initial access to the victim company, via a compromised user account in May

• Andariel potentially used an Impacket credential harvesting module and deployed the open-source tool Sliver, as well as their custom malware, DTrack, on other hosts through the SMB protocol

• These tools communicated with Andariel’s command-and-control server until September, at which point the Play ransomware was deployed

• Researchers said Andariel was a “key player” in the attack and assessed “with moderate confidence a degree of collaboration” between Andariel and the Play Ransomware

Why It Matters: This incident showcases the first recorded collaboration between Andariel and an underground ransomware network, according to Unit 42 researchers. Andariel has previously launched espionage attacks, but has also dabbled with using its own custom ransomware. In July, a joint advisory by U.S. agencies said that Andariel funds its espionage activity through ransomware operations against U.S. healthcare entities, and the Justice Department indicted members of the group that same month for deploying custom ransomware, Maui.

“This change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group,” according to researchers. “This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.”

The Big Picture: Researchers cited several clues pointing to a link between Andariel and the Play deployment. For instance, the account used for initial access and to spread Andariel’s toolset was the same one used prior to ransomware deployment, they said. 

However, we still don’t fully understand the relationship between Andariel and the Play ransomware. Andariel may have acted as an initial access broker, selling access to the victim network to threat actors behind the Play ransomware, which then used that access to deploy the ransomware. Another possibility is that Andariel acted as an official affiliate for the Play ransomware, according to the Unit 42 team, although the actors behind Play ransomware have claimed they do not provide a ransomware-as-a-service ecosystem.

Still, the finding indicates that North Korean groups may be increasingly involved in broader ransomware campaigns, which could lead to more widespread attacks, according to researchers. 

“We expect their attacks will increasingly target a wide range of victims globally,” said researchers. “Network defenders should view [Andariel] activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”