The Play ransomware group has developed two special tools - Grixba and VSS Copying Tool - to increase the effectiveness of their cyberattacks. This was reported by Symantec specialists who discovered and analyzed the samples.
New tools allow attackers to:
- list users and computers on compromised networks;
- collect security, backup, and remote administration software information;
- copy files from the Volume Shadow Copy Service (VSS) to bypass locked files.
Grixba is a network scanning and information stealing tool used to enumerate users and computers in a domain. It also supports a "scan" mode that uses WMI, WinRM, remote registry, and remote services to determine what software is running on network devices.
When performing a scan function, Grixba checks for antivirus and security software, EDR solution suites, backup tools, and remote administration tools. In addition, the scanner checks for regular office applications and DirectX, potentially allowing hackers to determine the type of computer being scanned.
The tool saves all the collected data in CSV files, compresses it into a ZIP archive, and then exfilters it to the attackers' C2 server, providing important information so that the attackers can plan their next attack steps.
The VSS Copying Tool is the second tool in the Play group that allows cybercriminals to interact with the Volume Shadow Copy Service (VSS) via API calls using the associated .NET library AlphaVSS.
The Volume Shadow Copy Service is a Windows feature that allows users to create system snapshots and backups of their data at specific points in time and restore them in the event of data loss or system corruption. The VSS Copying Tool allows Play ransomware to steal files from existing volume shadow copies, even if those files are in use by applications.
Both tools were written using the Costura .NET development tool, which can create standalone executables that require no dependencies, making it easier to deploy malware on compromised systems.
Recall that the Play group claimed responsibility for the cyber attack on the American city of Oakland, which occurred in the first half of February. This attack severely disrupted the city's IT systems. Local authorities even had to declare a state of emergency in the city.
Also in January, Play hackers infiltrated the Rackspace email service using a zero-day exploit and gained access to some of the company's customer data.