Unit 42 recently reported that it has identified “Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People’s Army, as a key player in a recent ransomware incident.” Its investigation indicates “with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).” Jumpy Pisces has previously engaged in cyberespionage, financial crime, and ransomware attacks and was behind the ransomware known as Maui.

Unit 42 states that this is the “first observed instance” of Jumpy Pisces using an existing ransomware infrastructure that “signals deeper involvement in the broader ransomware threat landscape.”

According to Unit 42, “We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”

Unit 42 provides the attack methods, timeline of events, threat actor tooling, collaborations with Play ransomware, indicators of compromise, and resources for organizations to use to protect against these threats.