Ransomware Archives

Tech Optimizer

April 16, 2025

Hackers find a way around built-in Windows protections

Windows Defender Application Control (WDAC) is a built-in security feature on Windows PCs that restricts the execution of unauthorized software by allowing only trusted applications. However, hackers have discovered multiple methods to bypass WDAC, exposing systems to malware and cyber threats. Techniques for bypassing WDAC include using Living-off-the-Land Binaries (LOLBins), DLL sideloading, and exploiting misconfigurations in WDAC policies. Attackers can execute unauthorized code without triggering alerts from traditional security solutions, enabling them to install ransomware or create backdoors. Microsoft operates a bug bounty program to address vulnerabilities in WDAC, but some bypass techniques remain unpatched for long periods. Users can mitigate risks by keeping Windows updated, being cautious with software downloads, and using strong antivirus software.

Tech Optimizer

April 13, 2025

Panda Dome review

Panda Security, a Spanish antivirus company, has introduced various cybersecurity innovations since its founding, including daily signature updates in 1998, behavioral monitoring in 2004, and cloud scanning in 2007. It offers several plans for home users: Panda Dome Essential, Advanced, Complete, and Premium, each with increasing features such as firewall protection, WiFi security, online shopping safeguards, and a Dark Web Scanner. All plans include a 30-day free trial. Panda Dome received an AAA award from SE Labs for a Total Accuracy Rating of 99% without false positives between October and December 2024, outperforming Microsoft Defender and Webroot but not achieving the perfect scores of Avast, Kaspersky, and McAfee. The AV-Test Product Review awarded Panda a score of 6/6 for protection and usability, and 5.5/6 for performance. However, Panda Free Antivirus had a higher number of false alarms in AV-Comparatives’ False Alarm Test. The Panda Dome Advanced plan, priced at .99 for the first year, includes parental controls and enhanced ransomware protection. It offers multiple scanning options and reasonable scan times. Its anti-ransomware features include behavior-based detection, file access control, and backup capabilities. Panda Dome Complete, priced at .99 for the first year, adds system cleanup tools and a password manager, allowing users to optimize system performance and securely manage passwords. It also includes file encryption and shredding features. Panda Dome Premium, priced at .99 for the first year, provides unrestricted VPN access, an update manager, and unlimited premium technical support. It allows secure browsing across over 60 countries for up to five devices and includes features to keep systems updated and secure.

Tech Optimizer

April 12, 2025

I abandoned third-party antivirus tools, and here’s what I do instead

The author has transitioned from using third-party antivirus solutions to relying on Windows Security, which is built into Windows 10 and 11, due to its effectiveness and lack of cost. They emphasize the importance of keeping Windows Security updated and performing regular virus scans for added peace of mind. Ransomware protection features, such as Controlled Folder Access, are highlighted as essential. The Microsoft PC Manager app is recommended for optimizing system performance and security. The author advocates for good security hygiene, including avoiding suspicious emails and enabling two-factor authentication, as effective practices to maintain security without third-party antivirus software.

Tech Optimizer

April 10, 2025

6 overlooked security practices I implemented at home and I regret not using sooner

- Safeguarding technology is crucial in the digital age due to potential threats from various devices. - Two-factor authentication (2FA) enhances online account security by requiring a second code sent to a phone, email, or authentication app. - Biometric verification methods and hardware authentication devices like YubiKeys can further enhance security. - Backup codes should be printed when setting up 2FA, and passkeys offer a passwordless solution for securing accounts. - Ransomware can lock users out of data until a ransom is paid, and Windows 10 and 11 have a feature called Controlled Folder Access (CFA) to protect essential folders. - Windows Security provides baseline protection for PCs, and users should regularly check for updates and conduct manual scans. - Microsoft's PC Manager utility enhances system security by offering features for storage and app management alongside virus scanning. - Securing web browsers is vital, with unique settings available in browsers like Microsoft Edge, Firefox, and Chrome to improve privacy and security. - Regularly clearing browsing history and keeping browsers updated helps mitigate risks from malware and phishing attacks. - Securing Wi-Fi routers involves changing the default admin password and SSID, using strong encryption like WPA3, and regularly updating firmware. - Custom firmware like DD-WRT or OpenWrt can enhance router security and functionality.

Winsage

April 10, 2025

Patch Tuesday leaves some users unable to login to Windows

A recent patch bundle released by Microsoft has caused login issues for some users of Windows Hello on Windows 11 and Server 2025, particularly those with System Guard Secure Launch or Dynamic Root of Trust for Measurement enabled. Affected users may need to reset their login PIN or biometric settings. The problematic patch is KB5055523, which addresses vulnerabilities including CVE-2025-29824, currently exploited by ransomware. Additionally, the March patch KB5053656 has been linked to various issues but also includes enhancements such as bug fixes and new features like Copilot+. Windows 10 users have now received a patch for the CVE-2025-29824 vulnerability.

Winsage

April 9, 2025

Microsoft patches zero-day actively exploited in string of ransomware attacks

Microsoft has addressed a zero-day vulnerability, CVE-2025-29824, exploited by the group Storm-2460, affecting the Windows Common Log File System (CLFS). This vulnerability has been linked to ransomware attacks on organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Storm-2460 has targeted firms in the IT and real estate sectors in the U.S., a financial institution in Venezuela, a software company in Spain, and a retail business in Saudi Arabia. The exploitation allows attackers to escalate privileges from standard user accounts, facilitated by the PipeMagic malware, which has a CVSS score of 7.8. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. This month's security update is Microsoft's fourth addressing over 100 vulnerabilities in the past year, with 18 affecting Microsoft Office products classified as high-severity.

Winsage

April 9, 2025

Patch Tuesday fixes an exploited bug, but not for Windows 10

Microsoft's Patch Tuesday updates addressed over 120 vulnerabilities, including one actively exploited flaw (CVE-2025-29824) and 11 critical issues. CVE-2025-29824 is an elevation of privilege vulnerability in the Windows Common Log File System Driver, targeted by the group Storm-2460 to deploy ransomware called PipeMagic, affecting victims in the US, Spain, Venezuela, and Saudi Arabia. This vulnerability has a CVSS score of 7.8 and allows attackers to escalate privileges due to a use-after-free flaw. Patches for Windows Server and Windows 11 have been released, but Windows 10 users are still awaiting a fix, with Microsoft promising updates soon. Among the critical vulnerabilities addressed, all allow for remote code execution (RCE). Notable vulnerabilities include: - CVE-2025-26670: LDAP Client RCE, Critical, CVSS 8.1 - CVE-2025-27752: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-29791: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-27745: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27748: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27749: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27491: Windows Hyper-V RCE, Critical, CVSS 7.1 - CVE-2025-26663: Windows LDAP RCE, Critical, CVSS 8.1 - CVE-2025-27480: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-27482: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-26686: Windows TCP/IP RCE, Critical, CVSS 7.5 - CVE-2025-29809: Windows Kerberos Security Feature Bypass, Important, CVSS 7.1 Dustin Childs from ZDI noted that CVE-2025-29809 requires additional measures beyond standard patching. CVE-2025-26663 and CVE-2025-26670 are considered wormable, necessitating prompt updates, especially for networks exposing LDAP services. Adobe released over 50 fixes for vulnerabilities in products like Cold Fusion, After Effects, and Photoshop, with some issues in Cold Fusion classified as critical. AMD updated advisories regarding GPU access and various Ryzen AI software vulnerabilities.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

April 9, 2025

Windows Common Log File System 0-Day Vulnerability Exploited in the Wild

A critical zero-day vulnerability in the Windows Common Log File System (CLFS) driver, identified as CVE-2025-29824, is actively exploited, allowing attackers to elevate privileges to SYSTEM level and compromise system integrity. This flaw arises from a use-after-free issue within the CLFS driver, enabling local attackers to execute malicious code. Microsoft is aware of the exploitation and is working on a security update, but no immediate patch is available. The vulnerability affects multiple versions of Windows 10, including x64-based and 32-bit systems, and can lead to privilege escalation, data breaches, operational disruption, and malware deployment. Microsoft has classified this vulnerability as "Important" and urges organizations to apply patches promptly once available.

Winsage

April 9, 2025

Microsoft: Windows CLFS zero-day exploited by ransomware gang

Microsoft reported that the RansomEXX ransomware gang has been exploiting a critical zero-day vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, allowing them to gain SYSTEM privileges on targeted systems. This vulnerability stems from a use-after-free flaw and affects organizations in various sectors, including IT and real estate in the US, financial institutions in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft has released security updates for most affected Windows versions but has postponed patches for Windows 10 x64 and 32-bit systems. Customers running Windows 11, version 24H2, are not vulnerable to the exploitation. The RansomEXX group, also known as Storm-2460, uses the PipeMagic backdoor malware to facilitate the exploitation of CVE-2025-29824, alongside ransomware payloads. The group has targeted high-profile organizations, including GIGABYTE, Konica Minolta, the Texas Department of Transportation, Brazil's court system, Montreal's STM public transport system, and government software provider Tyler Technologies.