VERY IMPORTANT

A Play ransomware attack involving a reconnaissance tool called Grixba was detected and prevented. The attack began with the deployment of Grixba via RDP to a Windows server. The Grixba file was disguised as legitimate SentinelOne software, a new tactic for the group. Grixba is an obfuscated .NET-based application that uses encoded command line arguments and an XOR key to decrypt its contents. The tool performs various scanning operations, storing results in a password-protected zip file. The scan data is organized into 18 tables, providing detailed information about the target environment. This reconnaissance enables precision targeting and amplifies the impact of subsequent ransomware attacks. Early detection of such tools is crucial for disrupting the attack chain and mitigating risks.