HQ/EMEAFind out how we can help your business
The notorious Play ransomware has made a couple of custom tools dubbed Grixba and VSS Copying Tool. The threat group coded both tools in [.]net and used them to improve its cybercriminal operations’ efficiency.
Moreover, both tools allow their operators to identify users and computers in an infected network, harvest data regarding security, backup, and remote administration software, and copy archives from VSS to bypass locked files.
Grixba is an infostealing and network-scanning tool that could enumerate users and devices in a domain. It could also support a scan mode that utilises WinRM, Remote Registry, WMI, and Remote Services to identify what software operates on network devices.
When performing its scan functions, the Grixba tool could also check for AV and security programs, backup devices, remote administration tools, and EDR. Additionally, the scanner reviews standard office apps and DirectX to identify the type of computer it is scanning.
The tool could then save data in its CSV files, compresses them into a ZIP file and sends it to an attacker-controlled command-and-control server. These abilities could help its operators plan the campaign’s next steps.
The Play ransomware group has also developed the VSS Copying Tool.
The second custom tool created by Play ransomware is the VSS Copying Tool. This weapon could allow them to interact with the VSS via API calls through a bundled AlphaVSS dot net library.
In addition, the Volume Shadow Copy Service is a Windows feature that enables its operators to generate system snapshots and backup copies of their information at specific time points and recover them in the case of system corruption or data loss.
Furthermore, the tool allows the Play ransomware group to steal archives from shadow volume copies even if they are in use by apps within the compromised computer.
These two new tools from the Play ransomware group could be independent executables that do not need dependencies. Hence, the actors could quickly deploy these tools on infected systems.
These tools also indicate that its developers want to increase the efficiency of its malicious operations.
