Previous notable Play ransomware victims include cloud computing company Rackspace, car retailer giant Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and, more recently, American semiconductor supplier Microchip Technology and doughnut chain Krispy Kreme. Microsoft linked these attacks to the RansomEXX ransomware gang, saying the attackers installed the PipeMagic backdoor malware, which was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and ransom notes after encrypting files. The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems. Since then, Symantec's Threat Hunter Team has also found evidence linking them to the Play ransomware-as-a-service operation, saying the attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a U.S. organization's network. "Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation," Symantec said. In December 2023, the FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC), warning that the Play ransomware gang had breached the networks of around 300 organizations worldwide as of October 2023. The Grixba custom network-scanning and information-stealing tool was first spotted two years ago, and Play ransomware operators typically use it to enumerate users and computers in compromised networks. The Play cybercrime gang surfaced in June 2022 and is also known for double-extortion attacks, in which its affiliates pressure victims into paying ransoms to avoid having their stolen data leaked online. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," Microsoft said in April.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 07 May 2025 14:49:59 +0000