Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

The Symantec Threat Hunter Team reported that attackers affiliated with the Play ransomware group (also known as Balloonfly or PlayCrypt) targeted an unnamed organization in the United States, likely using a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) identified that the exploitation activity has been attributed to a threat group called Storm-2460, which deploys the PipeMagic malware in ransomware campaigns. Threat actors linked to the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows prior to its patching on April 8, 2025. “Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access into privileged access,” Microsoft stated in its security advisory. While no ransomware payload was deployed in the discovered intrusion, the attackers utilized a custom information-stealing tool called Grixba, which has been previously associated with the Play ransomware operation. The group has previously developed custom tools like Grixba, which have been disguised as legitimate security software, including fake SentinelOne and Palo Alto Networks applications. The vulnerability, tracked as CVE-2025-29824, affects the Windows Common Log File System (CLFS) driver and allows attackers to elevate their privileges from standard user to full system access. This incident highlights the continuing evolution of ransomware tactics and the importance of prompt patching, especially for vulnerabilities that enable privilege escalation, which are critical components in ransomware attack chains. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The Play ransomware group, active since June 2022, is known for deploying double-extortion tactics, where sensitive data is exfiltrated prior to encryption. Organizations are strongly advised to apply the security updates released on April 8, 2025, especially for systems running vulnerable versions of Windows. Microsoft specifically mentioned that customers running Windows 11 version 24H2 are not affected by this vulnerability due to security mitigations already in place.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 07 May 2025 11:54:58 +0000


Cyber News related to Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
2 months ago Cybersecuritynews.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 month ago Cybersecuritynews.com
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
11 months ago Securityaffairs.com CVE-2024-23222 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
10 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109 Rocke
The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
1 year ago Securityboulevard.com
Play ransomware exploited Windows logging flaw in zero-day attacks - Previous notable Play ransomware victims include cloud computing company Rackspace, car retailer giant Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and, more recently, American semiconductor supplier ...
2 weeks ago Bleepingcomputer.com CVE-2025-29824 RansomEXX
North Korean Kimsuky used a new Linux backdoor in recent attacks - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
1 year ago Securityaffairs.com CVE-2022-38028 CVE-2020-3259 CVE-2023-22515 APT28 APT29 BianLian
FBI Alarmed as Ransomware Strikes 300 Victims, Critical Sectors Under Siege - There was an advisory published late on Monday about the Play ransomware gang that was put out by the Federal Bureau of Investigation together with the US Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre. The ...
1 year ago Cysecurity.news CVE-2022-41040 CVE-2022-40802
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware - The Symantec Threat Hunter Team reported that attackers affiliated with the Play ransomware group (also known as Balloonfly or PlayCrypt) targeted an unnamed organization in the United States, likely using a public-facing Cisco Adaptive Security ...
2 weeks ago Cybersecuritynews.com CVE-2025-29824
10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
1 year ago Techtarget.com CVE-2023-0669 CVE-2023-34362 CVE-2023-36884 CVE-2023-4863 CVE-2023-41992 CVE-2023-41991 CVE-2023-41993 CVE-2023-22515
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
1 year ago Bleepingcomputer.com LockBit Akira Noescape
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
1 year ago Malwarebytes.com Scattered Spider LockBit
Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian
Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
1 year ago Bleepingcomputer.com CVE-2024-27834
newsletter Round 473 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-46747 CVE-2023-46748 CVE-2023-22515 APT29 Rocke BianLian
Impact of Remote Work and Cloud Migrations on Security Perimeters - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 CVE-2023-40044 APT29 BianLian
Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
1 year ago Bleepingcomputer.com CVE-2024-30051 CVE-2023-36033 RansomEXX Black Basta
newsletter Round 474 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Critical Fortinet's ...
11 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-49103 CVE-2023-22515 APT28 APT29 BianLian
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
1 year ago Bleepingcomputer.com Medusa Cuba STORMOUS
The Evolving Landscape of Ransomware Attacks - 1.7 million ransomware attacks are happening every day. Many people think the virus has locked their computer, but it is actually the ransomware that has locked all their files. As the name ransomware suggests they are after ransom. Stealing or ...
1 year ago Cyberdefensemagazine.com LockBit

Cyber Trends (last 7 days)