Play ransomware's new tools.
N2K logoApr 19, 2023

The Play ransomware gang has been observed using two new tools for data collection; Grixba, an infostealer, and a VSS copying tool.

Play ransomware's new tools.

Symantec, part of Broadcom Software, shared this morning their observation of two new tools in use by the Play ransomware gang. The tools include an infostealer coined “Grixba,” as well as a Volume Shadow Copy Service, or VSS, copying tool.

An infostealer by the name of Grixba.

The researchers have identified an infostealer called Grixba, defined as “a network scanning tool used to enumerate all users and computers in the domain.” In addition to the enumeration of software and services, the Grixba infostealer checks for security and backup software, as well as remote administration tools. The Grixba tool was developed using “a popular .NET development tool for embedding and applications dependencies into a single executable file,” known as Costura.

VSS copying tool made using Costura.

Also developed using Costura was another executable, a VSS copying tool that the researchers say “embeds the library AlphaVSS into executables. The AlphaVSS library is a.NET framework that provides a high-level interface for interacting with VSS. The library makes it easier for .NET programs to interface with VSS by offering a set of controlled APIs.” This tool allows for the threat actors to copy files normally blocked by the OS.

The Play ransomware gang’s notable history.

Play ransomware, tracked also as PlayCrypt, was developed by a group Symantec researchers track as Balloonfly. The strain has existed since June of last year at least. The gang operating Play mostly engages in double-extortion attacks, and had for some time been seen primarily targeting Brazil and greater Latin America. However the gang’s target list quickly expanded. The ransomware has been seen exploiting Microsoft Exchange vulnerabilities and using intermittent encryption to gain remote code execution (RCE) capabilities. The Balloonfly group seems to be the only one using the ransomware, which suggests it’s not being disseminated as ransomware-as-a-service (RaaS).