2023-04-21 03:30:34
Since its release in June 2022, Play ransomware, commonly known as PlayCrypt, which is being developed by a group called Balloonfly, has been responsible for a series of attacks that have received significant media attention. Play, like most ransomware gangs today, engages in double extortion attacks. In these attacks, the attackers first remove data from the target networks before encrypting the data. Initially, the ransomware group targeted companies located in Latin America, with a special emphasis on Brazil; however, they quickly expanded their attack range.
Play is known for exploiting a variety of vulnerabilities, including those found in Microsoft Exchange (CVE-2022-41080 and CVE-2022-41082), to achieve remote code execution (RCE) and break into victim networks. . The gang was also one of the first ransomware groups to use intermittent encryption, a method that allows victims’ computers to be encrypted more quickly. The strategy is to encrypt only part of the content of the targeted files, which would still prevent the data from being recovered.
The Play ransomware gang is using two new custom tools that give it the ability to enumerate all users and machines on a compromised network and copy Volume Shadow Copy Service (VSS) data that is normally locked by the operating system. These tools were created by the Play ransomware organization.
Grixba
Grixba (Infostealer.Grixba) was the first tool discovered by the researchers of Symantec . Grixba is a network scanning program that is used to enumerate all the users and machines that are part of the domain.
Threat actors enumerate software and services using WMI, WinRM, Remote Registry, and Remote Services. This is accomplished with the help of the .NET information stealer. The virus looks for the presence of backup and security software, as well as remote administration tools and other applications. The information that is acquired is then saved to CSV files and packaged in a ZIP file before being sent to threat actors for further manual exfiltration.
The Play ransomware group used the popular .NET programming tool known as Costura to create Grixba ransomware. Stitching allows developers to incorporate all of an application’s dependencies into a single executable file. Because of this, it is no longer necessary to deploy the program and all its dependencies in a separate operation, which greatly simplifies the distribution and deployment of the application. Costura embeds in programs the DLL file costura.commandline.dll, which is used by Grixba to parse the command line.
VSS Copying Tool
The Play ransomware group was seen using another .NET executable not too long ago, and this one, like the others, was produced with the help of the Sewing tool.
Executables can have the AlphaVSS library built in thanks to Costura. A high-level interface for interacting with VSS is available through the AlphaVSS library, which is based on the .NET framework. By providing a variety of regulated application programming interfaces (APIs), the library simplifies the communication of .NET applications with VSS. These application programming interfaces (APIs) give developers the ability to create, manage, and delete snapshots, as well as access information about existing snapshots, such as their size and status.
AlphaVSS is used by the program developed by the Play ransomware operators to copy VSS snapshot files. The utility will review all the files and folders inside a VSS snapshot and then copy them to a destination directory. Before the encryption takes place, the program gives attackers the ability to copy data from VSS volumes on compromised workstations. This gives threat actors the ability to copy files that the operating system would normally prevent them from copying.
Ransomware gangs are increasingly turning to the use of bespoke tools, as these tools can be tailored to the environment of individual targets, making ransomware attacks faster and more effective. Ransomware groups maintain a competitive advantage and increase their profits by protecting the confidentiality of their own tools and limiting access to them.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad
#find #Grixba #VSS #copying #tools #net #means #network #hacked #ransomware