Play Ransomware Gang Automates with Custom Data-Exfiltration Tooling


April 19, 2023

World map

Play, the ransomware gang who claimed attacks on the city of Oakland, has developed two new custom data exfiltration tools – the Grixba information stealer and a Volume Shadow Copy Service (VSS) Copying Tool - that improve efficiency in gathering sensitive information on a targeted network.

“The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow Copy Service (VSS) to bypass locked files.” Bleeping Computer reports.

“Grixba will check for anti-virus and security programs, EDR suites, backup tools, and remote administration tools. Also, the scanner checks for common office applications and DirectX, potentially to determine the type of computer being scanned... The second custom tool spotted by Symantec in Play ransomware attacks is VSS Copying Tool, which allows attackers to interact with the Volume Shadow Copy Service (VSS) via API calls.”

Takeaway: Custom automation tools like Grixba and the VSS Copying Tool make the task of identifying and exfiltrating sensitive data from victims prior to running the disruptive encryption payload all that much easier. Automation means more victims faster, which translates to more ransoms collected.

Attackers are also getting more efficient at exploitation of known vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences. We see evidence of this in the hundreds of organizations that have been hit by the Cl0p ransomware gang in just the last few weeks as they automated exploitation of a known vulnerability in the GoAnywhere software.  

We are also starting to see attacks exploiting a vulnerability in IBM Aspera Faspex, which could allow for a similar surge in victim organizations. ‍And just last week, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for having some unique features like extremely fast encryption speeds, advanced security evasion, and some stealthy DLL side-loading.

Again, this week, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques by way of a custom-made PowerShell-based tool to automate data exfiltration on targeted networks.

The focus around ransomware attacks has always been centered on the delivery of the payload and encryption of data and systems with the occasional data loss. But, since most ransomware attacks today first exfiltrate date, we need to start looking at these operations as straight-up data exfiltration attacks with some ransomware thrown in at the end of the attack.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This is where tools like Grixba and the VSS Copying Tool are being leveraged long before the ransomware payload is delivered.  

Given how much effort goes into persistence, lateral movement, stealth, security evasion, and data exfiltration, we are simply not putting enough emphasis on these earlier stages in today’s ransomware attacks. If the attackers have already exfiltrated the organization's most valuable data, then all those recovery efforts are limited because the attack has already been successful.

‍Resilience is key in developing a sound security posture, and organizations can limit the impact of a ransomware payload on operations with resilience planning, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the threat actors will honor any agreements even if they receive payment.‍

As attackers continue to automate efficiencies in the attack progression to exploit known vulnerabilities for initial access, improve stealthy payload delivery and evasion techniques, and exponentially improve encryption speeds, we may be in for a busy period for ransomware attacks as we move closer to summer. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.