Summary:
“The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks. Grixba is a network-scanning and information-stealing tool used to enumerate users and computers in a domain. When performing the scan function, Grixba will check for anti-virus and security programs, EDR suites, backup tools, and remote administration tools. Also, the scanner checks for common office applications and DirectX, potentially to determine the type of computer being scanned. It also supports a 'scan' mode that uses WMI, WinRM, Remote Registry, and Remote Services to determine what software runs on network devices. The tool saves all collected data in CSV files, compresses them into a ZIP archive, and then exfiltrates it to the attackers' C2 server, giving them vital info on how to plan the next steps of the attack. The second custom tool spotted by Symantec in Play ransomware attacks is VSS Copying Tool, which allows attackers to interact with the Volume Shadow Copy Service (VSS) via API calls using a bundled AlphaVSS .NET library. Volume Shadow Copy Service is a Windows feature that allows users to create system snapshots and backup copies of their data at specific time points and restore them in the case of data loss or system corruption. The VSS Copying Tool enables Play ransomware to steal files from existing shadow volume copies even when those files are in use by applications.” (Bleeping Computer, 2023).

Analyst comments:
Grixba and the VSS will allow Play actors to easily enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and copy/steal files from shadow volume copies. According to analysts at Symantec both tools were written using the Costura .NET development tool, which allows users to build standalone executables without any dependencies. As such, this makes it easier to deploy the tools on targeted systems. The development of custom tools indicates that Play actors are looking to increase the effectiveness and efficiency of their attacks.

Mitigation:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Source:
https://www.bleepingcomputer.com