VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231)
Play ransomware operators are known to use a custom tool that serves as an interface for interacting with Windows Volume Shadow Copy Service ("VSS") over APIs. The tool can enumerate and copy files and folders in a VSS snapshot prior to encryption to serve as backups.[Symantec Play Ransomware April 19 2023]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Play (60f686d0-ae3d-5662-af32-119217dee2a7) | Tidal Groups | VSS Copying Tool (Play Ransomware) (a3ebc075-c87b-4400-9498-09bb95d47231) | Tidal Software | 1 |