The Play ransomware group has been found using two new custom tools to strengthen its attacks and harvest data effectively from targeted systems. Tracked as Grixba and Volume Shadow Copy Service (VSS), the tools can be easily deployed on compromised systems as they require no dependencies.
Knowing the tools
Both tools are written in Costura .NET language and aim to increase the effectiveness of threat actors by helping them carry out more malicious tasks.
- Grixba is a network scanner and information stealer used to enumerate users and computers in a compromised network.
- Upon execution, the tool scans for remote administration tools, anti-viruses, and security programs on victims’ devices before collecting all data in CSV files.
- The second tool, VSS Copying Tool, allows attackers to interact with the VSS using a bundled AlphaVSS library.
- It enables attackers to steal files from existing shadow volume copies on compromised machines prior to encryption.
Use of custom data exfiltration tools on the rise
There has been a significant rise in the use of custom tools by ransomware gangs in their attacks.
- Recently, the Vice Society ransomware group was found using a sophisticated PowerShell script to automate data theft from compromised networks. This new tool employs a living-off-the-land attack tactic to bypass security checks.
- The BlackByte ransomware group also added a tool, named Exbyte, to its arsenal to upload harvested data to Mega’s cloud storage service and avoid malware detection and analysis tools.
- The MuddyWater actor group was also observed using an altered version of Ligolo in attacks targeting industries across Central America and Europe.
The bottom line
Researchers have shared a list of new indicators containing file hashes and malicious IP addresses used by the Play ransomware group. Organizations can leverage the same to understand the attack pattern and implement required security measures to secure their networks, endpoints, and systems.