Play ransomware group (Balloonfly) has been observed using new custom data-gathering tools to enumerate software, backups, and remote admin utilities, exfiltrate the data, and compress it for leakage. The article also covers the VSS-based copy technique, log deletion, and the group’s broader modus operandi and history. #PlayRansomware #Balloonfly #SystemBC #AlphaVSS
Keypoints
- The Scan mode enumerates software and services via WMI, WinRM, Remote Registry, and Remote Services, then checks for the existence of numerous security programs.
- It also checks for backup software and remote administration tools, compiling results into CSV files (e.g., alive.csv, wm.csv) and compressing them into export.zip with WinRAR.
- Scanall mode extends the scanning to a broader list of programs.
- Clr mode deletes logs on local and remote machines, enumerates registry keys, and uses EvtOpenLog/EvtClearLog to wipe event logs (including WMI logs).
- A VSS Copying Tool uses the AlphaVSS library (via Costura) to copy files from VSS snapshots, enabling access to files that would otherwise be locked during encryption.
- Play ransomware (PlayCrypt/Balloonfly) employs double-extortion tactics, targets CVEs to gain access, and has used intermittent encryption to speed up encryption while hindering recovery.
- Use of custom tools is rising among ransomware groups to improve efficiency and reduce dwell time, giving operators more control and a competitive edge.
- Indicators of Compromise include multiple SHA-256 hashes for Play ransomware, SystemBC, Infostealer.Grixba, NetScan, and VSS-related tools, plus network indicators (IP and domain) tied to SystemBC C2 infrastructure.
MITRE Techniques
- [T1518] Software Discovery – The malware enumerates installed software and backup/remote admin tools via WMI, WinRM, Remote Registry, and Remote Services. “The Scan mode enumerates software and services via WMI, WinRM, Remote Registry, and Remote Services.”
- [T1021] Remote Services – Uses remote services/administrative channels to enumerate and interact with remote systems as part of the software/asset discovery process. “The Scan mode enumerates… Remote Services.”
- [T1012] Query Registry – Checks for the existence of security programs and other software by querying registry/metainfo. “It then checks for the existence of the following security programs…”
- [T1560] Archive Collected Data – Compresses collected CSV data into a single archive (export.zip) using WinRAR. “compresses them to a file named export.zip.”
- [T1070.001] Clear Windows Event Logs – Clr mode deletes logs on local and remote computers and clears WMI activity logs. “It uses the APIs ‘EvtOpenLog’ and ‘EvtClearLog’ to delete the logs…”
- [T1486] Data Encrypted for Impact – Encrypts data in targeted systems; the article notes intermittent encryption to speed campaigns. “intermittent encryption, a technique that allows for faster encryption…”
- [T1005] Data from Local System – Copies files from VSS snapshots prior to encryption via a VSS-copying tool, retrieving data that might be locked. “copies files from VSS snapshots… to a destination directory.”
Indicators of Compromise
- [SHA256] context – 762bb8a7209da29afb89f7941ae1c00a04cf45a144c6c5dddcfa78ff0d941539 – Play ransomware, 86e4e23f9686b129bfb2f452acb16a4c0fda73cf2bf5e93751dcf58860c6598c – SystemBC malware, and 2 more hashes
- [Network] context – 137.220[.]49.66 – SystemBC C&C, justiceukraine.com – SystemBC C&C
- [File] context – export.zip, alive.csv, wm.csv (and 2 more CSVs listed in the article)