Skip to content

Hide Navigation Hide TOC

VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231)

Play ransomware operators are known to use a custom tool that serves as an interface for interacting with Windows Volume Shadow Copy Service ("VSS") over APIs. The tool can enumerate and copy files and folders in a VSS snapshot prior to encryption to serve as backups.[Symantec Play Ransomware April 19 2023]

Cluster A Galaxy A Cluster B Galaxy B Level
Play (60f686d0-ae3d-5662-af32-119217dee2a7) Tidal Groups VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231) Tidal Software 1
Play Ransomware Actors (Deprecated) (6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3) Tidal Groups VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231) Tidal Software 1