The Play ransomware gang has exploited a high-severity Home windows Widespread Log File System flaw in zero-day assaults to realize SYSTEM privileges and deploy malware on compromised methods.
The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a restricted variety of assaults and patched throughout final month’s Patch Tuesday.
“The targets embody organizations within the data know-how (IT) and actual property sectors of the USA, the monetary sector in Venezuela, a Spanish software program firm, and the retail sector in Saudi Arabia,” Microsoft stated in April.
Microsoft linked these assaults to the RansomEXX ransomware gang, saying the attackers put in the PipeMagic backdoor malware, which was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and ransom notes after encrypting recordsdata.
Since then, Symantec’s Risk Hunter Group has additionally discovered proof linking them to the Play ransomware-as-a-service operation, saying the attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a U.S. group’s community.
“Though no ransomware payload was deployed within the intrusion, the attackers deployed the Grixba infostealer, which is a customized instrument related to Balloonfly, the attackers behind the Play ransomware operation,” Symantec stated.
“Balloonfly is a cybercrime group that has been lively since no less than June 2022 and makes use of the Play ransomware (often known as PlayCrypt) in assaults.”
The Grixba customized network-scanning and information-stealing instrument was first noticed two years in the past, and Play ransomware operators sometimes use it to enumerate customers and computer systems in compromised networks.
The Play cybercrime gang surfaced in June 2022 and can also be identified for double-extortion assaults, by which its associates stress victims into paying ransoms to keep away from having their stolen knowledge leaked on-line.
In December 2023, the FBI issued a joint advisory with CISA and the Australian Cyber Safety Centre (ACSC), warning that the Play ransomware gang had breached the networks of round 300 organizations worldwide as of October 2023.
Earlier notable Play ransomware victims embody cloud computing firm Rackspace, automobile retailer big Arnold Clark, the Metropolis of Oakland in California, Dallas County, the Belgian metropolis of Antwerp, and, extra not too long ago, American semiconductor provider Microchip Know-how and doughnut chain Krispy Kreme.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the way to defend towards them.
