The Play ransomware gang has exploited a high-severity Home windows Widespread Log File System flaw in zero-day assaults to realize SYSTEM privileges and deploy malware on compromised techniques.
The vulnerability, tracked as CVE-2025-29824was tagged by Microsoft as exploited in a restricted variety of assaults and patched throughout final month’s Patch Tuesday.
“The targets embrace organizations within the info know-how (IT) and actual property sectors of the USA, the monetary sector in Venezuela, a Spanish software program firm, and the retail sector in Saudi Arabia,” Microsoft stated in April.
Microsoft linked these assaults to the RansomEXX ransomware gang, saying the attackers put in the PipeMagic backdoor malware, which was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and ransom notes after encrypting information.
Since then, Symantec’s Risk Hunter Crew has additionally discovered proof linking them to the Play ransomware-as-a-service operation, saying the attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a U.S. group’s community.
“Though no ransomware payload was deployed within the intrusion, the attackers deployed the Grixba infostealer, which is a customized device related to Balloonfly, the attackers behind the Play ransomware operation,” Symantec stated.
“Balloonfly is a cybercrime group that has been energetic since at the very least June 2022 and makes use of the Play ransomware (also called PlayCrypt) in assaults.”
The Grixba customized network-scanning and information-stealing device was first noticed two years in the past, and Play ransomware operators usually use it to enumerate customers and computer systems in compromised networks.
The Play cybercrime gang surfaced in June 2022 and can also be identified for double-extortion assaults, wherein its associates strain victims into paying ransoms to keep away from having their stolen information leaked on-line.
In December 2023, the FBI issued a joint advisory with CISA and the Australian Cyber Safety Centre (ACSC), warning that the Play ransomware gang had breached the networks of round 300 organizations worldwide as of October 2023.
Earlier notable Play ransomware victims embrace cloud computing firm Rackspace, automotive retailer large Arnold Clark, the Metropolis of Oakland in California, Dallas County, the Belgian metropolis of Antwerp, and, extra just lately, American semiconductor provider Microchip Know-how and doughnut chain Krispy Kreme.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend towards them.
