CyberSecurityBoard
Sponsor Register Login

Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks

Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. "Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code," reads the CERT/CC bulletin. You can check if the blocklist is enabled by going to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist and making sure the setting is enabled. While it is unclear what ransomware gangs are exploiting the Paragon flaw, BYOVD attacks have become increasingly popular among cybercriminals as they allow them to easily gain SYSTEM privileges on Windows devices. The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges. "Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. Microsoft has updated its 'Vulnerable Driver Blocklist' to block the driver from loading in Windows, so users and organizations should verify the protection system is active. As BioNTdrv.sys is a kernel-level driver, threat actors can exploit vulnerabilities to execute commands with the same privileges as the driver, bypassing protections and security software. Instead, threat actors include the vulnerable driver with their own tools, allowing them to load it into Windows and escalate privileges. A warning on Paragon Software's site also warns that users must upgrade Paragon Hard Disk Manager by today, as it utilizes the same driver, which will be blocked by Microsoft today. For this reason, it is important to enable the Microsoft Vulnerable Driver Blocklist feature to prevent vulnerable drivers from being used on your Windows devices.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 01 Mar 2025 19:10:10 +0000


Cyber News related to Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks

Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks - Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. "Microsoft has observed threat actors (TAs) exploiting this ...
1 month ago Bleepingcomputer.com CVE-2025-0289
10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
1 month ago Cybersecuritynews.com
Windows 10 KB5034441 security update fails with 0x80070643 errors - Windows 10 users worldwide report problems installing Microsoft's January Patch Tuesday updates, getting 0x80070643 errors when attempting to install the KB5034441 security update for BitLocker. Windows 10 creates a recovery partition, usually around ...
1 year ago Bleepingcomputer.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 day ago Cybersecuritynews.com
ICE Signs $2 Million Contract With Spyware Maker Paragon Solutions | WIRED - Measures have included placing spyware vendors like NSO Group and Intellexa on the so-called Entity List to prevent any US companies from doing business with them; enacting a visa restriction policy against multiple individuals “who have been ...
6 months ago Wired.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
1 year ago Malwarebytes.com Scattered Spider LockBit
Declining Ransomware Payments: Shift in Hacker Tactics? - Several cybersecurity advisories and agencies recommend not caving into ransomware gangs' demands and paying their ransoms. It seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean ...
1 year ago Securityboulevard.com
How ransomware gangs are engaging - As ransomware gangs continue to market themselves as legitimate businesses complete with customer service representatives, new research from Sophos showed that threat actors are expanding public relations efforts to further pressure victims into ...
1 year ago Techtarget.com LockBit Snatch
Paragon Spyware Exploited WhatsApp Zero-day Vulnerability to Attack High-value Targets - Researchers have uncovered extensive evidence linking Israeli firm Paragon Solutions to a sophisticated spyware operation that exploited a zero-day vulnerability in WhatsApp to target journalists and civil society members. The investigation confirmed ...
2 weeks ago Cybersecuritynews.com
WhatsApp patched zero-click flaw exploited in Paragon spyware attacks - Citizen Lab also mapped out the server infrastructure used by Paragon to deploy the Graphite spyware implants on targets' devices, finding potential links to multiple government customers, including Australia, Canada, Cyprus, Denmark, Israel, and ...
2 weeks ago Bleepingcomputer.com
Paragon Partition Manager Vulnerabilities Let Attackers Escalate Privilege & Trigger DoS Attacks - Here the security analysts at Carnegie Mellon University noted that the most concerning aspect of these vulnerabilities is that they can be exploited even if Paragon Partition Manager isn’t installed on the target system, through a technique ...
1 month ago Cybersecuritynews.com CVE-2025-0286
Ransomware review: January 2024 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. February didn't ...
1 year ago Malwarebytes.com LockBit Black Basta
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
Targeting homeowners' data - As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks. Finland is also warning of Akira ransomware increasingly targeting ...
1 year ago Bleepingcomputer.com LockBit Akira
Ransomware review: December 2023 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top ...
1 year ago Malwarebytes.com LockBit Rhysida Meow Ransomedvc
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
1 year ago Techrepublic.com
The Week in Ransomware - Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article. BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have ...
1 year ago Bleepingcomputer.com LockBit Qilin Noescape
Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware - COMMENTARY. The US government is ramping up efforts to stem the increasingly disruptive scourge of ransomware attacks. The State Department recently offered up to $15 million for information on LockBit, and $10 million for information on the ...
11 months ago Darkreading.com LockBit
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
Dozens of countries will pledge to stop paying ransomware gangs - An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups. Addressing reporters on Monday, Anne Neuberger, ...
1 year ago Bleepingcomputer.com
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
1 year ago Blog.checkpoint.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
Ransomware's appetite for US healthcare sees known attacks double in a year - Following the February 21 attack on Change Healthcare, scores of people in the US have been living with the brutal, real-world effects of ransomware. It has also created skyrocketing pharmacy bills, pushed some healthcare providers to the edge of ...
1 year ago Malwarebytes.com Rocke LockBit
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)