The 2 New Tools Developed by a Dangerous Ransomware Gang to Make Attacks more Efficient
Researchers have discovered that PLAY, a very dangerous ransomware group, has developed two new custom data-gathering tools that will allow them to more effectively carry out their attacks on unsuspecting victims.
The tools are called “Grixba” and “VSS Copying Tool”. Grixba, enumerates software and services in the target system. The VSS Copying Tool allows attackers to copy a system’s Volume Shadow Copy Service (VSS) files, which are normally locked.
These new tools are just the latest in a plethora of tools ransomware gangs are developing to be more efficient. The researchers note that the reason ransomware gangs are developing their own custom tools is “likely due to a number of reasons, such as making attacks more efficient and reducing dwell time,” as well as the fact that these “custom tools can be tailored to a specific target environment, allowing ransomware gangs to carry out attacks faster and more efficiently.”
Additionally, custom tools ensure that there is more control over operations. They decreased the likelihood that they’ll be reverse engineered, and the likelihood that they’ll be used by other groups – thus weakening their effectiveness.
PLAY, who was responsible for the city of Oakland, California issuing a state of emergency after their attack on the city, uses a “.play” extension to encrypt the files of its victims, and leaves a ransom note that other than an email address to contact them, simply says “PLAY”. The group was first discovered in June 2022, according to Trend Micro.
In addition to their attack on the city of Oakland, the group claimed responsibility for an August 2022 attack on Argentina’s Judiciary of Córdoba. This attack was described by an Argentine news outlet as the “worst attack in history on public institutions”.
The PLAY ransomware variant has been attributed to 77 attacks dating back to November 2022, and have been the cause of 20 attacks just in the last month alone. With the development of these new tools the group is implementing, we could see attack numbers rise in the coming months.
Story via Cyberscoop