Play ransomware gang uses custom Shadow Volume Copy data-theft tool

Hacker

The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks.

The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow Copy Service (VSS) to bypass locked files.

Security researchers at Symantec discovered and analyzed the new tools and shared their findings with BleepingComputer before publishing their report.

New custom tools

Grixba is a network-scanning and information-stealing tool used to enumerate users and computers in a domain. It also supports a ‘scan’ mode that uses WMI, WinRM, Remote Registry, and Remote Services to determine what software runs on network devices.

When performing the scan function, Grixba will check for anti-virus and security programs, EDR suites, backup tools, and remote administration tools. Also, the scanner checks for common office applications and DirectX, potentially to determine the type of computer being scanned.

The tool saves all collected data in CSV files, compresses them into a ZIP archive, and then exfiltrates it to the attackers’ C2 server, giving them vital info on how to plan the next steps of the attack.

Grixba command line arguments
Grixba command line arguments
Source: Symantec

The second custom tool spotted by Symantec in Play ransomware attacks is VSS Copying Tool, which allows attackers to interact with the Volume Shadow Copy Service (VSS) via API calls using a bundled AlphaVSS .NET library.

Volume Shadow Copy Service is a Windows feature that allows users to create system snapshots and backup copies of their data at specific time points and restore them in the case of data loss or system corruption.

The VSS Copying Tool enables Play ransomware to steal files from existing shadow volume copies even when those files are in use by applications.

Both tools analyzed by Symantec were written using the Costura .NET development tool, which can build standalone executables that require no dependencies, making it easier to deploy on compromised systems.

Play ransomware’s use of custom tools indicates that the notorious threat actor aims to increase the effectiveness of their attacks and carry out their malicious tasks more efficiently.

Since the start of the year, Play ransomware has had several high-profile victims, including the City of Oakland in California, A10 NetworksArnold Clark, and Rackspace.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn