VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231)
Play ransomware operators are known to use a custom tool that serves as an interface for interacting with Windows Volume Shadow Copy Service ("VSS") over APIs. The tool can enumerate and copy files and folders in a VSS snapshot prior to encryption to serve as backups.[Symantec Play Ransomware April 19 2023]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231) | Tidal Software | Play Ransomware Actors (6eb50f82-86cc-4eff-b1d1-66e1c6fd74f3) | Tidal Groups | 1 |