Threat actors linked to the Play ransomware family exploited a recent Microsoft Windows zero-day vulnerability (CVE-2025-29824) to carry out an attack on an unknown U.S. organization. The attack involved privilege escalation, information theft, and artifacts indicative of exploitation, but no ransomware payload was deployed. (Affected: Unspecified organization)
Keypoints :
- Play ransomware actors exploited a patched privilege escalation flaw in Microsoft Windows (CVE-2025-29824) in a targeted attack, using a zero-day before it was widely fixed.
- The attack likely used a Cisco ASA as an entry point and involved deploying Grixba, an information stealer, disguised as Palo Alto Networks software.
- Exploit activity created log files and DLL injections that facilitated privilege escalation, information gathering, and trace removal via batch files.
- No ransomware payload was delivered during this attack, but the exploitation indicates multiple threat actors may have accessed the vulnerability before its patch.
- This incident exemplifies the trend of ransomware groups using zero-days, similar to previously exploited flaws like CVE-2024-26169.
- Recent ransomware tactics include targeting domain controllers for rapid network-wide encryption, with over 78% of such attacks involving breaches of these critical systems.
- Emerging ransomware-as-a-service platforms like PlayBoy Locker and RansomHub, along with groups like DragonForce, are increasing the sophistication and scale of ransomware campaigns targeting various sectors, including retail and financial organizations.
Read More: https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html
Views: 27