The Play ransomware group has developed two customized instruments in .NET, specifically Grixba and VSS Copying Software, which it makes use of to enhance the effectiveness of its cyberattacks.

The 2 instruments allow attackers to enumerate customers and computer systems in compromised networks, collect details about safety, backup, and distant administration software program, and simply copy information from Quantity Shadow Copy Service (VSS) to bypass locked information.

Safety researchers at Symantec found and analyzed the brand new instruments and shared their findings with BleepingComputer earlier than publishing their report.

New customized instruments

Grixba is a network-scanning and information-stealing software used to enumerate customers and computer systems in a website. It additionally helps a ‘scan’ mode that makes use of WMI, WinRM, Distant Registry, and Distant Providers to find out what software program runs on community gadgets.

When performing the scan perform, Grixba will examine for anti-virus and safety applications, EDR suites, backup instruments, and distant administration instruments. Additionally, the scanner checks for widespread workplace functions and DirectX, doubtlessly to find out the kind of pc being scanned.

The software saves all collected knowledge in CSV information, compresses them right into a ZIP archive, after which exfiltrates it to the attackers’ C2 server, giving them very important information on tips on how to plan the following steps of the assault.

The second customized software noticed by Symantec in Play ransomware assaults is VSS Copying Software, which permits attackers to work together with the Quantity Shadow Copy Service (VSS) by way of API calls utilizing a bundled AlphaVSS .NET library.

Quantity Shadow Copy Service is a Home windows function that permits customers to create system snapshots and backup copies of their knowledge at particular time factors and restore them within the case of knowledge loss or system corruption.

The VSS Copying Software permits Play ransomware to steal information from current shadow quantity copies even when these information are in use by functions.

Each instruments analyzed by Symantec have been written utilizing the Costura .NET growth software, which may construct standalone executables that require no dependencies, making it simpler to deploy on compromised techniques.

Play ransomware’s use of customized instruments signifies that the infamous risk actor goals to extend the effectiveness of their assaults and perform their malicious duties extra effectively.

For the reason that begin of the 12 months, Play ransomware has had a number of high-profile victims, together with the City of Oakland in California, A10 Networks, Arnold Clark, and Rackspace.