Two novel custom data-gathering tools are being leveraged by the Play ransomware operation in a bid to bolster its digital extortion attacks, according to CyberScoop. Aside from developing the Grixba information stealer that facilitates software and service enumeration, Play ransomware has also created the VSS Copying Tool to allow Volume Shadow Copy Service file copies, a report from Symantec's Threat Hunter Team showed. Play ransomware is believed to have developed custom tools to enhance attack efficiency and curb dwell times. "Custom tools can be tailored to a specific target environment, allowing ransomware gangs to carry out attacks faster and more efficiently," said researchers. While organizations in Latin America have been primarily targeted by Play ransomware since its emergence last June, the ransomware gang has since diversified its targets, launching 20 or more attacks around the world during the past month. Among its most recent victims was the City of Oakland, California, which declared a state of emergency following the attack.