Friday, May 9, 2025
Latest:
Feature

Play Ransomware Crooks Weaponise New Windows Zero-Day, Hitting Targets from the US to Saudi Arabia

HackAcademy

A rising tide of zero-day ransomware

Ransomware’s long-predicted decline isn’t materialising. Verizon’s freshly minted 2025 Data Breach Investigations Report shows that 5,365 confirmed breaches last year—44 per cent of the total—involved ransomware, up 37 per cent year on year.

That backdrop frames Microsoft’s disclosure of CVE-2025-29824, an elevation-of-privilege flaw in the Windows Common Log File System (CLFS) driver. Before Redmond pushed a fix in its 9 April Patch Tuesday bundle, at least two criminal crews had already woven the bug into new Play-family ransomware campaigns.

How the attacks unfolded

  • Storm-2460 & PipeMagic. Microsoft’s incident-response teams say the first wave was driven by a backdoor dubbed PipeMagic, pushed post-compromise by an actor it tracks as Storm-2460. Victims included IT and real-estate firms in the US, a retail chain in Saudi Arabia and a software house in Spain.

  • Balloonfly’s false start. Symantec’s Threat Hunter Team has now documented a second, unsuccessful strike against an unnamed US organisation. Here, a group labelled Balloonfly (long associated with Play ransomware) ran the same zero-day but failed to detonate its final payload.

Both clusters exploited CVE-2025-29824 to hop from a low-privilege foothold to SYSTEM rights, clearing the way for Play’s double-extortion toolkit. Microsoft and Symantec note that the exploit code appears to have circulated privately ahead of the patch, suggesting an active underground market for CLFS weaponisation.

Why Play keeps paying

Play first grabbed headlines in 2022 for noisy “.PLAY” file extensions and phone-number ransom notes. Its operators have since evolved:

  • Rapid customisation: Unlike industrial-scale RaaS brands, Play’s handlers iterate bespoke loaders—PipeMagic, Grixba, and others—tailored to each breach chain.

  • Selective targeting: The campaign hit disparate verticals rather than one sector, pointing to opportunistic scanning for unpatched endpoints rather than supply-chain infiltration.

  • Hybrid extortion: Even where encryption falters, Play shifts to pure data-leak blackmail—mirroring the broader 2025 trend towards more aggressive double-extortion tactics.

Patching remains the silver bullet—this time

The good news: CVE-2025-29824 was closed a month ago for all supported Windows builds. Organisations that applied April’s cumulative update are immune to this particular privilege-escalation avenue.

The bad: Symantec warns that “zero-day use by ransomware actors, while rare, is not unprecedented”—and Play’s rapid adoption shows how quickly criminal R&D now mirrors nation-state tradecraft.

Immediate defensive actions

  1. Verify April patches across Windows Server 2012 R2 through Windows 11 23H2; Windows 11 24H2 is unaffected.

  2. Hunt for PipeMagic-style loaders. Look for abnormal dllhost.exe spawns, CLFS driver calls and outbound DNS over HTTPS.

  3. Lock down credential stores. Both Storm-2460 and Balloonfly dump LSASS to escalate laterally.

  4. Rehearse incident playbooks that assume data theft occurs before encryption—the default in 2025’s ransomware economy.

The bigger question

With ransomware actors now routinely burning zero-days once thought the preserve of APTs, is the industry’s “patch-and-pray” paradigm enough—or do defenders need to rethink trust at the kernel level? The Play campaign may have been blunted by an April update, but the speed with which criminals weaponised CVE-2025-29824 proves they’ll keep digging for the next CLFS-style chink in Windows’ armour.

For now, the lesson is brutally simple: patch early, patch everywhere, and assume the crooks are already testing tomorrow’s zero-day today.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *