Ransomware hackers target a new Windows security flaw to hit businesses
- Multiple ransomware groups seen abusing Windows Common Log File System bug
- Among the abusers are RansomEXX and Play
- The bug is used to drop backdoors, encryptors, and more
Notorious ransomware actors have been abusing a zero-day vulnerability in the Windows Common Log File System to gain system privileges and deploy malware on target devices, multiple security researchers have confirmed.
The zero-day flaw was discovered, and patched, as part of the Microsoft Patch Tuesday April 2024 cumulative update.
Given a severity score of 7.8/10 (high), it is tracked as CVE-2025-29824, and described as a use after free bug in Windows Common Log File System Driver that allows an authorized attackers to elevate privileges locally.
Chats leaked
Microsoft was among the first companies to sound the alarm on the bug, saying that hackers are using it to target IT and real estate firms in the US, financial organizations in Venezuela, software firms in Spain, and retailers in Saudi Arabia.
The researchers said the bug was used by a threat actor called RansomEXX, who used it to drop the PipeMagic backdoor and other malware, including an encryptor. However, Symantec also found Play, an infamous ransomware player, using the bug to access a US target.
“Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation,” Symantec explained in its report.
“Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.”
Play, also known as Playcrypt, is a threat actor that emerged in mid-2022. In the first year and a half of its existence, it claimed roughly 300 victims, some of which were critical infrastructure organizations. In late 2023, the FBI, CISA, and other security agencies, published a joint security advisory, warning about the dangers posed by Play.
“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe,” the advisory read. “As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.”
Via BleepingComputer