North Korean govt hackers linked to Play ransomware attack

The North Korean state-sponsored hacking group tracked as 'Andariel' has been linked to the Play ransomware operation, using the RaaS to work behind the scenes and evade sanctions.

A report from Palo Alto Networks and its Unit 42 researchers claims that Andariel might be either an affiliate of Play or acting as an initial access broker (IAB), facilitating the deployment of the malware on a network they had breached several months earlier.

Andariel is a state-sponsored APT group believed to be associated with North Korea's Reconnaissance General Bureau, a military intelligence agency. In 2019, the U.S. sanctioned the North Korean Lazarus, Bluenoroff, and Andariel threat actors for their attacks on U.S. interests.

The threat actors are known to conduct attacks for cyber espionage and to fund North Korea's operations and have been linked to ransomware operations before.

In 2022, Kaspersky showed evidence of Andariel deploying Maui ransomware in attacks against targets in Japan, Russia, Vietnam, and India.

The U.S. government later confirmed this by offering $10,000,000 for any information on Rim Jong Hyok, whom it identified as a member of Andariel and responsible for Maui ransomware attacks targeting critical infrastructure and healthcare organizations across the United States.

The Andariel and Play connection

During a Play ransomware incident response in September 2024, Unit 42 discovered that Andariel had compromised its customer's breached network in late May 2024.

The threat actors achieved initial access via a compromised user account, and then extracted registry dumps and deployed Mimikatz for credential harvesting.

Next, they deployed the open-source pentesting suite Sliver for command and control (C2) beaconing, and their signature custom info-stealing malware, DTrack, on all reachable hosts over SMB.

For the next few months, the threat actors solidified their presence on the network, creating malicious services, establishing Remote Desktop Protocol (RDP) sessions, and uninstalling endpoint detection and response (EDR) tools.

However, it wasn't until three months later, on September 5, when the PLAY ransomware encryptor was executed on the network to encrypt devices.

Unit 42 concludes with moderate confidence that the presence of Andariel and the deployment of Play on the same network were connected.

This is based on the following clues:

1. The same account was used for initial access, spreading tools, lateral movement, privilege escalation, and EDR uninstallation, leading to Play ransomware deployment.
2. Sliver C2 communication continued until just before ransomware deployment, after which the C2 I.P. went offline.
3. Play ransomware tools, including TokenPlayer and PsExec, were found in C:\Users\Public\Music, matching common tactics observed in past attacks.

However, the researchers are unsure whether Andariel acted as a Play affiliate in this case or sold the attackers access to the compromised network.

Evading sanctions

While Ransomware-as-a-Service operations commonly promote a revenue share, where affiliates (or "adverts") earn 70-80% of a ransom payment and the ransomware developers earn the rest, it is commonly a bit more complicated than that.

In many cases, affiliates work with "pentesters" who are in charge of breaching a corporate network, establishing a presence, and then handing off access to an affiliate who deploys the encryptor.

In previous conversations with ransomware threat actors, BleepingComputer was told that sometimes the pentesters steal data, while in other attacks, it's the affiliate.

After a ransom payment is made, the ransomware operators, the pentester, and the affiliate split the money among themselves.

Regardless of whether Andariel is an affiliate or initial access broker (pentester), working with ransomware gangs behind the scenes allows North Korean threat actors to evade international sanctions.

In the past, we saw similar tactics used by the Russian hacking group Evil Corp, which was sanctioned by the U.S. government in 2019.

After being sanctioned, some ransomware negotiation firms refused to facilitate ransom payments for Evil Corp ransomware attacks to avoid facing fines or legal action from the Treasury Department.

However, this led the threat actors to frequently rebrand under different names, like WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and Macaw, to evade sanctions.

More recently, Iranian threat actors, who are also sanctioned, have similarly been discovered acting as initial access brokers to fuel ransomware attacks.