Ransomware Attackers Exploit New Windows Flaw, Targeting Businesses Nationwide

• 
  Various ransomware gangs have been exploiting a vulnerability in the Windows Common Log File System.
  
• 
  Included among the perpetrators are RansomEXX and Play
  
• 
  The bug is used to drop backdoors, encryptors, and more
  

Notorious
ransomware
actors have been exploiting a zero-day vulnerability in the Windows Common Log File System to obtain system privileges and carry out deployment.
malware
On target devices, several security experts have verified this.

The zero-day flaw was discovered, and patched, as part of the Microsoft Patch Tuesday April 2024 cumulative update.

With a severity rating of 7.8 out of 10 (high), this issue is identified as CVE-2025-29824. It involves a use-after-free vulnerability within the Windows Common Log File System Driver, enabling authenticated attackers to gain elevated privileges when operating locally.

Acquire Keeper Personal for merely $1.67 per month, Keeper Family for only $3.54 per month, and Keeper Business for just $7 per month.

Keeper is a cybersecurity solution renowned mainly for its password management tools and digital safe features. It assists both individuals, family units, as well as enterprises in safeguarding and handling passwords, confidential documents, and various personal information safely.

It employs zero-knowledge encryption and includes features such as two-factor authentication, dark web surveillance, safe file storage, and breach notifications to safeguard against online dangers.

Preferred partner (
What does this mean?
)
View Deal

Chats leaked

Microsoft was one of the initial companies to raise concerns about the vulnerability, stating that attackers are exploiting it to target IT and real estate businesses in the U.S., financial entities in Venezuela, software corporations in Spain, and retail operations in Saudi Arabia.

The researchers said the bug was used by a threat actor called RansomEXX, who used it to drop the PipeMagic backdoor and other malware, including an encryptor. However, Symantec also found Play, an infamous ransomware player, using the bug to access a US target.

“Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation,” Symantec explained in its report.

“Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.”

Play, also known as Playcrypt, is a threat actor that emerged in mid-2022. In the first year and a half of its existence, it claimed roughly 300 victims, some of which were critical infrastructure organizations. In late 2023, the FBI, CISA, and other security agencies, published a joint security advisory, warning about the dangers posed by Play.

As stated in the advisory, since June 2022, the Play (or Playcrypt) ransomware gang has targeted numerous enterprises and essential services across North America, South America, and Europe,” it reads. “By October 2023, the FBI had identified around 300 organizations reportedly hit by these cybercriminals.

Via
BleepingComputer

You might also like

• LockBit ransomware attackers are exploiting vulnerabilities in Fortinet firewalls.
• Check out our guide to the
  best authenticator app
• We’ve rounded up the
  best password managers

If you enjoyed this article, click the +Follow button at the top of the page to stay updated with similar stories from MSN.