North Korean APT Tied to Play Ransomware Attacks

North Korean threat actors, specifically a group known as APT 45, have been linked to the recent deployment of the Play ransomware, underscoring their financially driven cyber activities.

‍

Between May and September 2024, researchers observed APT 45 collaborating with Play, marking the first recorded cooperation between a North Korean state-backed hacking group and an underground ransomware operation.  

‍

APT 45, affiliated with North Korea’s Reconnaissance General Bureau (RGB), has previously deployed ransomware strains such as SHATTEREDGLASS and Maui.

‍

The Play ransomware group was initially thought to operate under a ransomware-as-a-service (RaaS) model, though they later clarified on their dark web data leak site that this was not accurate.  

‍

During the investigation, APT 45 gained initial network access through a compromised user account, then carried out lateral movement and persistence tactics using the Sliver command-and-control (C2) framework and a backdoor called Dtrack.

‍

The researchers noted that the North Korean-linked C2 infrastructure stayed active until the day prior to the ransomware deployment. The collaboration with Play involved pre-ransomware tactics such as credential harvesting, privilege escalation, and disabling endpoint detection and response (EDR) sensors.  

‍

Additionally, a trojanized binary was deployed to collect browser data, including credit card information. This cooperation suggests that North Korean actors may continue to leverage ransomware to circumvent sanctions and generate revenue for the regime in future campaigns.

‍

"It remains unclear whether APT 45 has officially become an affiliate for Play ransomware or if they acted as an IAB [initial access broker] by selling network access to Play ransomware actors," The Hacker News reported the researchers as saying.  

‍

"If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB."

‍

Takeaway: Today’s ransomware landscape demonstrates a growing convergence between nation-state operations and cybercriminal activities, particularly in ransomware attacks, where state-sponsored tactics increasingly resemble those of organized cybercrime.  

‍

With Russia, for example, we saw a notable dip in ransomware activity at the start of the Ukraine conflict which exposed the strong link between criminal groups and the government, suggesting that Russian ransomware operators are often either directed by or heavily influenced in their tactics and targets by state interests. This close association allows for state-directed attacks while giving the appearance of independent criminal action.

‍

Iran presents a different model, employing ransomware or destructive wipers not primarily for financial gain but as a means of diversion and disruption. Often, these attacks accompany other operations, with little effort made to collect ransoms, underscoring the state’s interest in using cyber tools to create strategic confusion or achieve broader destabilization.

‍

North Korea, by contrast, leverages ransomware both for its disruptive potential against other nations and as a crucial source of funds for the financially isolated regime. Here, ransomware serves as a dual-purpose instrument, enabling DPRK to circumvent sanctions and support its national agenda.

‍

These models illustrate a shifting dynamic where criminal groups adopt tactics previously exclusive to advanced persistent threat (APT) operations, while nation-state actors gain the advantage of plausible deniability by blurring their activities with cybercriminal actions.  

‍

According to the Halcyon Ransomware Malicious Quartile report, Play is a ransomware-as-a-service (RaaS) group that surfaced in mid-2022, rapidly gaining prominence due to its technical prowess and the decline of other major players like LockBit and BlackCat/ALPHV.  

‍

By the second quarter of 2024, Play had established itself as one of the most active RaaS operations, known for exploiting unpatched Fortinet SSL VPN and Microsoft Exchange vulnerabilities (e.g., ProxyNotShell, OWASSRF) to breach networks.  

‍

With techniques resembling the now-defunct Hive and Nokoyawa strains, Play has demonstrated agility in adapting to new security measures, making it a formidable presence in the ransomware landscape.

‍

In early 2024, the FBI and CISA highlighted Play’s significant impact, noting that the group had compromised over 300 organizations since its inception. Play’s operations are sophisticated, employing tools like PowerTool to disable antivirus programs and SystemBC RAT to maintain persistence, alongside Cobalt Strike for lateral movement and Mimikatz for credential harvesting.  

‍

The group strategically uses living-off-the-land binaries (LOLBins) and AdFind for evading detection and gathering Active Directory data. They were pioneers in using intermittent encryption, encrypting files in parts to avoid early detection, and leverage custom tools like Grixba for data theft.

‍

Play operates a structured and efficient business model, investing heavily in research, development, and recruitment to stay at the forefront of ransomware technology. It supports affiliates with technical infrastructure and uses double extortion tactics, threatening to leak exfiltrated data if ransom demands are unmet.  

‍

Initially focusing on Latin America, Play expanded globally by targeting managed service providers (MSPs) to infiltrate multiple networks at once. Their adaptability and technical expertise have cemented their reputation as a top-tier ransomware group, instilling urgency in victims to meet their demands or face public exposure.

‍

This convergence of APT and cybercriminal elements not only enhances the sophistication of criminal networks but also allows state actors to obscure their involvement, complicating attribution and elevating the global cyber threat landscape.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.