Jumpy Pisces Engages in Play Ransomware

    Thursday, October 31, 2024 In: Threat Research Print

    Date: 10/31/2024

    Severity: High

    Summary

    The report "Jumpy Pisces Engages in Play Ransomware" details the North Korean threat group Jumpy Pisces, linked to the Reconnaissance General Bureau, as a key player in a recent ransomware incident. It suggests a tactical shift where Jumpy Pisces may be collaborating with the Play ransomware group (Fiddling Scorpius), marking their first use of existing ransomware infrastructure. Historically focused on cyberespionage and financial crimes, the group has been indicted for deploying the custom ransomware Maui. The report warns that their activities may increasingly target a wide range of global victims, highlighting the need for heightened vigilance from network defenders against potential ransomware attacks.

    Indicators of Compromise (IOC) List

    URL/Domain

    americajobmail.site

    IP Address

    172.96.137.224

    Hash

    243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7

2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a

f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5

99e2ebf8cec6a0cea57e591ac1ca56dd5d505c2c3fc8f4c3da8fb8ad49f1527e

b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f

b1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449

b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f

f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "americajobmail.site" or url like "americajobmail.site"

    Detection Query 2

    dstipaddress IN ("172.96.137.224") or ipaddress IN ("172.96.137.224") or publicipaddress IN ("172.96.137.224") or srcipaddress IN ("172.96.137.224")

    Detection Query 3

    sha256hash IN ("b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f","99e2ebf8cec6a0cea57e591ac1ca56dd5d505c2c3fc8f4c3da8fb8ad49f1527e","2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a","243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7","b1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449","f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5")

    Reference: 

    https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/    


    Tags

    MalwareRansomwareCyberEspionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.