Security News > 2023 > April > Play ransomware gang uses custom Shadow Volume Copy data-theft tool
The Play ransomware group has developed two custom tools in.
The two tools enable attackers to enumerate users and computers in compromised networks, gather information about security, backup, and remote administration software, and easily copy files from Volume Shadow Copy Service to bypass locked files.
The tool saves all collected data in CSV files, compresses them into a ZIP archive, and then exfiltrates it to the attackers' C2 server, giving them vital info on how to plan the next steps of the attack.
The second custom tool spotted by Symantec in Play ransomware attacks is VSS Copying Tool, which allows attackers to interact with the Volume Shadow Copy Service via API calls using a bundled AlphaVSS.NET library.
Volume Shadow Copy Service is a Windows feature that allows users to create system snapshots and backup copies of their data at specific time points and restore them in the case of data loss or system corruption.
The VSS Copying Tool enables Play ransomware to steal files from existing shadow volume copies even when those files are in use by applications.