Ransomware Archives

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.

Winsage

May 6, 2025

Expanding the Surface for Business Copilot+ PC portfolio

AI has evolved into a transformative force for organizations, increasing the demand for secure and high-performance AI-ready Windows 11 PCs. Microsoft has introduced Copilot+ PCs, including the new 12-inch Surface Pro and 13-inch Surface Laptop, both powered by the Snapdragon X Plus processor with an integrated neural processing unit (NPU) capable of 45 trillion operations per second. The 13-inch Surface Laptop offers up to 23 hours of video playback and 16 hours of web browsing, with performance enhancements of up to 50% faster speeds and double the battery life compared to its predecessor. It features an AI-enhanced 1080p front camera for video conferencing and a durable design. The 12-inch Surface Pro is the thinnest and lightest Copilot+ PC, providing 50% faster performance and up to 16 hours of local video playback. Both devices are designed as Secured-core PCs with advanced security features, including Windows Hello for Business and biometric authentication options. They support enhanced productivity through AI features in Windows 11 and Microsoft 365 Copilot, enabling faster file searches and improved team efficiency. Microsoft emphasizes sustainability with the use of recycled materials and energy-efficient designs. The new devices will be available starting July 22 in select markets.

Tech Optimizer

May 6, 2025

Databricks reportedly could acquire serverless database startup Neon for $1B+

Databricks Inc. is in advanced discussions to acquire Neon Inc., a startup specializing in a commercial version of the open-source PostgreSQL database, with the deal anticipated to exceed billion. Neon, based in San Francisco, has raised over 0 million in funding, including contributions from Microsoft's M12 fund. Neon’s PostgreSQL distribution features a serverless architecture that dynamically adjusts hardware resources based on workload demands, allowing for separate provisioning of storage and processing power. It also includes an innovative connection pooling feature to minimize resource drain when establishing network connections. Neon enhances its offering with a cybersecurity tool for granular user access control and the ability to revert databases to previous states in case of data loss. Databricks' interest in Neon may be linked to its suitability for AI applications, as it supports vector storage and can provision new database instances in as little as one second. Databricks has been actively pursuing acquisitions to enhance its AI capabilities, including recent purchases of Fennel AI Inc., Lilac AI Inc., and MosaicML Inc.

Tech Optimizer

May 5, 2025

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, an e-commerce store specializing in handmade home décor, experienced a cybersecurity incident involving a malware strain called Chimera. The attack began during a routine update to their inventory management system and escalated within 12 hours, resulting in halted customer orders, locked employee accounts, and a crashed website. The attackers demanded a ransom of 0,000 in cryptocurrency, threatening to expose sensitive customer data. Chimera is an AI-driven malware that adapts its code to evade detection, targeting both Windows and macOS systems. It exploited a zero-day vulnerability in Windows' Print Spooler service and bypassed macOS security measures by forging code signatures. The malware used social engineering tactics to deceive employees into activating malicious payloads, leading to compromised systems and encrypted customer data. The recovery process took 48 hours, utilizing cybersecurity tools like CrowdStrike Falcon and SentinelOne Singularity to identify and isolate the malware. Data restoration was achieved through Acronis Cyber Protect and macOS Time Machine, while vulnerabilities were addressed with Qualys and emergency patch deployment via WSUS. The network security framework was improved using Cisco Umbrella and Zscaler Private Access to implement a Zero Trust architecture. The incident highlights the need for small enterprises to adopt proactive cybersecurity strategies, including a 3-2-1 backup approach, Zero Trust models, investment in AI-driven defense tools, and employee training to recognize social engineering attempts.

Tech Optimizer

May 3, 2025

Use Protection: 6 Tips to Watch Porn Online Safely

Seventeen U.S. states have enacted age verification laws that effectively prohibit adult websites from operating within their jurisdictions. The use of Incognito Mode can help hide browsing history, but it is not completely secure as data may still be retained by Google. Data theft is a risk when engaging with adult content, especially if personal information is shared on pornographic sites. Using a VPN can enhance anonymity, but it does not protect against voluntarily shared information. Privacy services like IronVest can help create disposable email addresses and phone numbers. Ads on adult websites can contain malware, making antivirus software important for protection. Trusted pornographic sites typically prioritize user privacy and security, so caution is advised when choosing platforms.

Tech Optimizer

May 2, 2025

The Pillars of AI-Driven Security

The cybersecurity landscape has shifted from traditional methods like firewalls and antivirus software to more sophisticated, AI-driven strategies. The 2024 Verizon Data Breach Investigations Report identifies ransomware as a leading attack type, with a median time to compromise now measured in hours. The attack surface is expanding due to remote work, cloud adoption, and IoT devices, while traditional security measures struggle to keep up. AI enhances security across three domains: prevention, detection, and response. 1. Prevention: AI distinguishes between legitimate and suspicious activities, improving predictive accuracy and enabling proactive defenses against attacks. AI models can identify zero-day malware and fileless attacks by focusing on behavior. 2. Detection: AI-powered tools like SIEM systems analyze vast amounts of data to identify risks and suspicious patterns in near real-time, reducing false positives and highlighting low-and-slow attacks and insider threats. 3. Response: AI automates rapid containment and remediation actions, allowing human analysts to focus on more complex tasks. Generative AI can assist in drafting incident reports and suggesting remediation measures. AI-driven security offers scale and efficiency, reducing breach costs significantly for organizations that utilize it. AI models adapt to evolving threats, and AI tools help bridge the cybersecurity skills gap. However, challenges include potential biases in AI models, the need for talent and change management, and privacy concerns. Organizations are encouraged to adopt AI-driven security as a core component of their digital defense strategy to improve risk posture and threat response.

Tech Optimizer

May 2, 2025

McAfee+ Premium antivirus review

McAfee+ Premium offers comprehensive antivirus protection without device restrictions under a single account. It includes features such as an unrestricted VPN, True Key password manager, file shredder, and cleanup tools. The pricing is higher compared to some competitors, with an Essential subscription available for .99 annually, covering five devices. The Advanced package costs .99 and includes fraud protection and a credit bureau scan, while the Ultimate package is .99 and offers three credit bureau scans. Ransomware protection is included only in the Advanced and Ultimate packages. Performance tests show a malware detection accuracy of 99.96%, although it has a higher number of false positives compared to Bitdefender. The interface is user-friendly, and customer support is available 24/7 via chat, but email support is not offered.

Tech Optimizer

April 30, 2025

Malwarebytes Launches Global Strategic Partner Program Offering Organizations a One-stop Shop for Personal Security, Privacy, and Identity Solutions

Malwarebytes has launched a partnership initiative aimed at providing financial institutions, HR benefit providers, and internet service providers with personal security, privacy, and identity solutions in response to rising online fraud, which has led to financial losses of .5 billion over the past year for one in three individuals. The program offers AI-powered consumer security solutions to protect devices from various threats and allows partners to choose from a range of options or create custom solutions. Key features include a comprehensive cybersecurity platform, advanced mobile security, and flexible integration options. Eero is one of the first partners to integrate Malwarebytes Premium Security into its eero Plus subscription service, enhancing online security for its subscribers.