Unit 42's ransomware trend report highlights North Korean participation in ransomware ecosystems as one of several changes in early 2025 extortion activity. It says Jumpy Pisces, a North Korean state-sponsored group associated with the Korean People's Army Reconnaissance General Bureau, played a key role in a ransomware incident and may have acted as an initial access broker or affiliate using Fiddling Scorpius Play ransomware infrastructure. Unit 42 also notes later artifacts of North Korean actors continuing to cooperate with ransomware groups, including reports that Moonstone Sleet deployed Qilin payloads in a limited number of March 2025 attacks. The DPRK-relevant finding is the shift from direct theft alone toward collaboration with criminal ransomware operations, while the wider report separately covers scam extortion, EDR-killer tooling, and cloud or hypervisor targeting.