Ransomware group behind Oakland attack strengthens capabilities with new tools, researchers say

The group known as PLAY is using custom tools researchers say allow it to be faster and more efficient when carrying out ransomware attacks.
Getty Images/ ilyast

The PLAY ransomware group — responsible for a recent attack on the city of Oakland, California, that forced a state of emergency — has developed two new custom data-gathering tools that allow it to more effectively carry out already crippling digital extortion campaigns, researchers said Wednesday.

Symantec’s Threat Hunter Team dubbed the tools “Grixba,” an information stealer that enumerates software and services in a targeted system, and VSS Copying Tool, which allows an attacker to copy a system’s Volume Shadow Copy Service (VSS) files, which are normally locked by the operating system prior to encryption.

The tools are just the latest examples of ransomware gangs developing custom programs, the researchers said. “This is likely due to a number of reasons, such as making attacks more efficient and reducing dwell time,” they said. “Custom tools can be tailored to a specific target environment, allowing ransomware gangs to carry out attacks faster and more efficiently.”

Custom tools also allow for more control over operations, and a decreased likelihood that a group’s particular tooling will be either reverse engineered or adapted by other groups, which could weaken the initial attack’s effectiveness, the researchers noted.


The PLAY ransomware variant — named for the “.play” file extension it adds after encrypting a victim’s files and the single-word ransom note “PLAY” displayed to victims, along with an email address — first emerged in June 2022, according to a September 2022 analysis by Trend Micro. The group had an initial focus on Latin America, particularly Brazil, the Symantec researchers noted. PLAY was also part of an initial wave in the fall of 2022 of ransomware variants employing intermittent or partial encryption, according to SentinelLabs’ Aleksandar Milenkoski and Jim Walter, which allowed for better detection evasion and faster encryption speeds.

In August 2022, the group associated with the malware claimed responsibility for attacking Argentina’s Judiciary of Córdoba in what an Argentine news outlet called the “worst attack in history on public institutions” there, and the group was also behind the Feb. 10 attack on Oakland, which forced city leaders there to declare a state of emergency.

The PLAY ransomware variant has been observed in at least 20 attacks on both public and private entities around the world in just the last month, and at least 77 dating back to November 2022, according to data collected and maintained by, a service that monitors ransomware and data leak sites.

Latest Podcasts