Play Ransomware

#Play • 2024-10

Unknown

Unit 42 linked Jumpy Pisces, also known as Andariel or PLUTONIUM, to an intrusion that preceded Play ransomware deployment and assessed with moderate confidence that the North Korean state-sponsored actor collaborated with Play operators or acted as an initial access broker. The activity began with a compromised user account, then used SMB to spread Sliver and DTrack, maintained C2 until shortly before ransomware execution, and included credential harvesting, privilege escalation, EDR sensor removal, Windows access-token abuse, PsExec use, and Play ransomware deployment.

Related Actors

Related Reports

2025-03-26
ESET
#Andariel #Play
2025-02-10
Any Run
#Play
2025-01-02
Ahnlab
#Andariel #Ransomware #Play #T1046 #T1219 #T1562.001 #T1486 #T1018 #T1657 #T1003.001 #T1048.003 #T1560.001 #T1033 #T1087.002 #T1570 #T1069.001 #T1069.002 #T1572 #T1615 #T1482
2025-01-01
Ahnlab
#Andariel #Ransomware #Play #T1046 #T1219 #T1562.001 #T1486 #T1018 #T1657 #T1003.001 #T1048.003 #T1560.001 #T1033 #T1087.002 #T1570 #T1069.001 #T1069.002 #T1572 #T1615 #T1482
2024-10-31
Rewterz
#APT45 #Play
2024-10-30
Paloalto Networks
#DTrack #JumpyPisces #Play
2023-12-19
Picus Security
#Ransomware #Play #T1552 #T1518.001 #T1003 #T1562.001 #T1486 #T1078 #T1133 #T1190 #T1016 #T1048 #T1560.001 #T1570 #T1070.001
« Back