Researchers have discovered two new custom tools being leveraged in Play ransomware attacks, as different threat actors increasingly adopt proprietary tools in order to gain a competitive advantage and better tailor their attacks to victims’ environments.
Symantec’s threat hunter team found the group behind the Play ransomware using a customized networking-scanning tool Grixba in order to enumerate all computers and users in the domain and a .NET executable that allows attackers to copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
“The use of proprietary tools… gives ransomware operators more control over their operations,” said researchers in a Wednesday analysis. “If a tool is widely available, it can be reverse-engineered or adapted by other attackers, potentially weakening the initial attack’s effectiveness. By keeping their tools proprietary and exclusive, ransomware gangs can maintain their competitive advantage and maximize their profits.”
The Balloonfly group that develops the Play ransomware, which launched in June 2022, has carried out several double extortion attacks, including a recent cyberattack on the city of Oakland, Calif. The group has previously targeted Microsoft Exchange flaws, such as an elevation of privilege bug (CVE-2022-41080) and remote code execution flaw (CVE-2022-41082).
The group does not appear to operate Play as a ransomware-as-a-service, and its custom tools uncovered this week can give it a competitive advantage over other groups. Balloonfly developed both tools using a popular .NET development tool called Costura, which allows users to embed application dependencies into a single executable.
“By keeping their tools proprietary and exclusive, ransomware gangs can maintain their competitive advantage and maximize their profits.”
The .NET Grixba infostealer checks for and enumerates software, remote administration tools, several security programs and more, and compiles this information for exfiltration. The other tool leverages the AlphaVSS library – a .NET framework for interacting with VSS – in order to copy files from VSS snapshots prior to encryption.
More groups are shifting away from publicly available tools or simple scripts to instead use fully custom tools, including the Exmatter data exfiltration tool used in several 2021 BlackMatter ransomware attacks, the custom data exfiltration tool Exbyte developed last year by BlackByte, and a PowerShell-based tool used by Vice Society.
Custom exfiltration tools like these improve the speed of attacks, but as exemplified by the Play ransomware custom tools, they can also increase the complexity and capabilities of attacks, said Dick O’Brien, principal intelligence analyst for the Symantec threat hunter group.
“It’s possible that attacks are becoming ever more complex to perform thus necessitating the automation of some steps,” said O’Brien. “Things like copying locked files are something we’re not sure if attackers would have bothered doing a few years ago.”
Outside of exfiltration tools, threat actors have been developing other types of toolsets to expand their attack chain and add additional layers of complexity to their attacks. Since 2022, for instance, a subgroup of known Iranian actor APT35 has been using two custom implants in order to persist in compromised environments, evade detection and deploy second-stage malware.
“In some ways, it may be a positive sign because it suggests attackers are feeling that heat and too many attacks are being uncovered before they can be completed,” said O’Brien. “We’re also seeing attackers put a greater degree of effort into attempting to disable security software, which also suggests that they’re being stymied more frequently.”
