{
	"id": "350735ca-6988-4482-8096-39be700ad201",
	"created_at": "2026-04-06T01:29:32.807459Z",
	"updated_at": "2026-04-10T13:12:20.233859Z",
	"deleted_at": null,
	"sha1_hash": "f57b1f2b1ef0bee5d8e68e2b0e4662cf9b37ddf0",
	"title": "Play Ransomware Group Using New Custom Data-Gathering Tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68441,
	"plain_text": "Play Ransomware Group Using New Custom Data-Gathering Tools\r\nBy About the Author\r\nArchived: 2026-04-06 01:07:57 UTC\r\nThe Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and\r\ncomputers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are\r\nnormally locked by the operating system.\r\nGrixba\r\nThe first tool found by researchers at Symantec, by Broadcom Software, was Grixba (Infostealer.Grixba), which is\r\na network-scanning tool used to enumerate all users and computers in the domain.\r\nThe threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote\r\nRegistry, and Remote Services. The malware checks for the existence of security and backup software, as well as\r\nremote administration tools and other programs, saving the gathered information in CSV files that are compressed\r\ninto a ZIP file for subsequent manual exfiltration by the threat actors.\r\nThe Play ransomware gang developed Grixba using Costura, a popular.NET development tool for embedding an\r\napplication's dependencies into a single executable file. This eliminates the requirement for the program and its\r\ndependencies to be deployed separately, making it easier to share and deploy the application. Costura embeds into\r\napplications the DLL file costura.commandline.dll, which is used by Grixba to parse command lines.\r\nAn analysis of a Grixba sample by Symantec revealed the following help message and functionality:\r\nHelp message\r\nScanall mode\r\nThe Scanall mode enumerates software and services via WMI, WinRM, Remote Registry, and Remote Services.\r\nIt then checks for the existence of the following security programs:\r\nDefence\r\nDefender\r\nEndpoint\r\nAntiVirus\r\nBitDefender\r\nKaspersky\r\nNorton\r\nAvast\r\nWebRoo\r\nAVG\r\nhttps://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nPage 1 of 6\n\nESET\r\nMalware\r\nDefender\r\nSophos\r\nTrend\r\nSymantec Endpoint Protection\r\nSecurity\r\nMcAfee\r\nTotalAV\r\npcprotect\r\nscanguard\r\nCrowdstrike\r\nHarmony\r\nSentinelOne\r\nMVISION\r\nWithSecure\r\nWatchGuard\r\nFireEye\r\nFSecure\r\nCarbon Black\r\nHeimdal\r\nHitmanPro\r\nVIPRE\r\nAnti-Virus\r\nDeepArmor\r\nMorphisec\r\nDr.Web\r\nIt also checks for the existence of the following backup software:\r\nVeeam\r\nBackup\r\nRecovery\r\nSynology\r\nC2\r\nCloud\r\nDropbox\r\nAcronis\r\nCobian\r\nEaseUS\r\nParagon\r\nIDrive\r\nhttps://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nPage 2 of 6\n\nIt then checks for the existence of the following remote administration tools:\r\nVNC\r\nRemote\r\nAnyDesk\r\nTeamViewer\r\nNinjaOne\r\nZoho\r\nAtera\r\nConnectWise\r\nRemotePC\r\nGoTo Resolve\r\nGoToAssist\r\nSplashtop SOS\r\nBeyondTrust\r\nRemote Desktop Manager\r\nGetscreen\r\nAction1\r\nWebex\r\nAtlassian\r\nSurfly\r\nElectric\r\nPulseway\r\nKaseya VSA\r\nXMReality\r\nSightCall\r\nDameWare\r\nScreenMeet\r\nViewabo\r\nShowMyPC\r\nIperius\r\nRadmin\r\nRemote Utilities\r\nRemoteToPC\r\nFinally, it checks for the presence any of the following programs:\r\nHitachi Storage Navigator Modular\r\n.NET\r\nOffice\r\nAdobe\r\nWord\r\nExcel\r\nhttps://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nPage 3 of 6\n\nJava\r\nOffice\r\nLearning\r\nDirectX\r\nPowerPoint\r\nThe malware then saves all the information in CSV files and, using WinRAR, compresses them to a file named\r\nexport.zip.\r\nList of CSV files compressed by Grixba:\r\nalive.csv\r\nwm.csv\r\nsoft.csv\r\nall_soft.csv\r\nmount.csv\r\nusers.csv\r\nremote_svc.csv\r\ncached_RDP.csv\r\nScan mode\r\nScan mode is similar to Scanall mode, but scans for a subset of the programs covered by Scanall mode.\r\nClr mode\r\nClr mode deletes the logs from local and remote computers. It also enumerates the following registry keys:\r\nSYSTEM\\\\CurrentControlSet\\\\services\\\\eventlog\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\r\nIt uses the APIs \"EvtOpenLog\" and \"EvtClearLog\" to delete the logs and deletes the WMI activity logs from the\r\nevent source \"Microsoft-Windows-WMI-Activity\".\r\nVSS Copying Tool\r\nThe Play ransomware gang was also recently observed using another .NET executable, which was also developed\r\nwith the Costura tool.\r\nCostura embeds the library AlphaVSS into executables. The AlphaVSS library is a.NET framework that provides\r\na high-level interface for interacting with VSS. The library makes it easier for .NET programs to interface with\r\nVSS by offering a set of controlled APIs. Developers can use these APIs to generate, manage, and delete shadow\r\ncopies, as well as access information about existing shadow copies such as size and status.\r\nThe tool created by the Play ransomware operators uses AlphaVSS to copy files from VSS snapshots. The tool\r\nenumerates the files and folders in a VSS snapshot and copies them to a destination directory. The tool allows the\r\nhttps://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nPage 4 of 6\n\nattackers to copy files from VSS volumes on compromised machines prior to encryption. This allows the threat\r\nactors to copy files that would normally be locked by the operating system.\r\nPlay Ransomware Background\r\nPlay ransomware (also known as PlayCrypt), which is developed by a group Symantec tracks as Balloonfly, was\r\nlaunched in June 2022, and since then has been responsible for multiple high-profile attacks. Like most\r\nransomware groups now, Play carries out double-extortion attacks, where the attackers exfiltrate data from victim\r\nnetworks before encrypting them. While the ransomware gang had an initial focus on organizations in Latin\r\nAmerica, especially Brazil, it soon widened its targeting.\r\nPlay is known for targeting Microsoft Exchange vulnerabilities (CVE-2022-41080, CVE-2022-41082), as well as\r\nother flaws, to gain remote code execution (RCE) and infiltrate victim networks. The group was also one of the\r\nfirst ransomware groups to employ intermittent encryption, a technique that allows for faster encryption of\r\nvictims’ systems. The tactic consists of encrypting only parts of the targeted files' content, which would still render\r\nthe data unrecoverable.\r\nPlay is also notable as it doesn’t appear to operate as a ransomware-as-a-service, with Balloonfly seemingly\r\ncarrying out the ransomware attacks as well as developing the malware.\r\nUse of Custom Tools on the Rise\r\nCustom tools are increasingly being used by ransomware gangs in their attacks. This is likely due to a number of\r\nreasons, such as making attacks more efficient and reducing dwell time. Custom tools can be tailored to a specific\r\ntarget environment, allowing ransomware gangs to carry out attacks faster and more efficiently. The use of\r\nproprietary tools also gives ransomware operators more control over their operations. If a tool is widely available,\r\nit can be reverse-engineered or adapted by other attackers, potentially weakening the initial attack's effectiveness.\r\nBy keeping their tools proprietary and exclusive, ransomware gangs can maintain their competitive advantage and\r\nmaximize their profits.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA256\r\n762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539 – Play ransomware\r\n86e4e23f9686b129bfb2f452acb16a4c0fda73cf2bf5e93751dcf58860c6598c – SystemBC malware\r\nf706bae95a232402488d17016ecc11ebe24a8b6cb9f10ad0fa5cbac0f174d2e7 – SystemBC malware\r\nhttps://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nPage 5 of 6\n\nc59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c – Infostealer.Grixba\r\n453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb – Infostealer.Grixba\r\nf71476f9adec70acc47a911a0cd1d6fea1f85469aa16f5873dd3ffd5146ccd6b – Infostealer.Grixba\r\na8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258 – NetScan\r\n5ef9844903e8d596ac03cc000b69bbbe45249eea02d9678b38c07f49e4c1ec46 – NetScan\r\nf81bd2ac937ed9e254e8b3b003cc35e010800cbbce4d760f5013ff911f01d4f9 – VSS copying tool\r\n367d47ad48822caeedf73ce9f26a3a92db6f9f2eb18ee6d650806959b6d7d0a2 – WinRAR\r\n6f95f7f53b3b6537aeb7c5f0025dbca5e88e6131b7453cfb4ee4d1f11eeaebfc – WinSCP\r\n1409e010675bf4a40db0a845b60db3aae5b302834e80adeec884aebc55eccbf7 – PsExec\r\nNetwork\r\n137.220[.]49.66 – SystemBC C\u0026C\r\njusticeukraine.com – SystemBC C\u0026C\r\nSource: https://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nhttps://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy"
	],
	"report_names": [
		"play-ransomware-volume-shadow-copy"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9afb532d-6183-46ed-a638-595c9e49056b",
			"created_at": "2024-06-19T02:03:08.032166Z",
			"updated_at": "2026-04-10T02:00:03.700322Z",
			"deleted_at": null,
			"main_name": "GOLD ENCORE",
			"aliases": [
				"Balloonfly ",
				"Fiddling Scorpius "
			],
			"source_name": "Secureworks:GOLD ENCORE",
			"tools": [
				"ADFind",
				"Bloodhound",
				"Cobalt Strike",
				"GMER",
				"Grixba",
				"Mimikatz",
				"Nekto",
				"Play",
				"Plink",
				"PowerTool",
				"Process Hacker",
				"PsExec",
				"SystemBC",
				"WinRAR",
				"WinSCP",
				"Winpeas"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438972,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f57b1f2b1ef0bee5d8e68e2b0e4662cf9b37ddf0.pdf",
		"text": "https://archive.orkl.eu/f57b1f2b1ef0bee5d8e68e2b0e4662cf9b37ddf0.txt",
		"img": "https://archive.orkl.eu/f57b1f2b1ef0bee5d8e68e2b0e4662cf9b37ddf0.jpg"
	}
}