The Play ransomware gang has recently taken advantage of a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks that allow them to gain SYSTEM privileges and deploy malware on affected systems. This flaw was recognized by Microsoft and marked as exploited in a limited number of incidents, leading to a patch being issued during last month’s Patch Tuesday.
Targeted Sectors and Attack Methods
According to Microsoft, the gang has targeted various sectors, including:
- Information technology (IT) and real estate in the United States
- The financial sector in Venezuela
- A Spanish software company
- The retail sector in Saudi Arabia
Microsoft has linked these attacks to the RansomEXX ransomware group, noting that the attackers utilized the PipeMagic backdoor malware. This malware facilitated the deployment of the CVE-2025-29824 exploit, enabling the installation of ransomware payloads and ransom notes following file encryption.
In a related development, Symantec’s Threat Hunter Team has uncovered further evidence connecting these activities to the Play ransomware-as-a-service operation. They reported that the attackers executed a zero-day privilege escalation exploit after infiltrating a U.S. organization’s network. Notably, while no ransomware payload was deployed during this breach, the attackers did utilize the Grixba infostealer, a custom tool associated with Balloonfly, the group behind the Play ransomware.
The Evolution of Play Ransomware
Balloonfly has been active since at least June 2022, employing Play ransomware—also referred to as PlayCrypt—in their operations. The Grixba tool, which specializes in network scanning and information theft, was first identified two years ago and is commonly used by Play ransomware operators to map out users and computers within compromised networks.
The Play cybercrime group has gained notoriety for its double-extortion tactics, pressuring victims to pay ransoms to prevent the public release of stolen data. In December 2023, the FBI, in collaboration with CISA and the Australian Cyber Security Centre (ACSC), issued a joint advisory indicating that the Play ransomware gang had compromised the networks of approximately 300 organizations globally as of October 2023.
Notable victims of the Play ransomware include:
- Cloud computing provider Rackspace
- Car retailer Arnold Clark
- The City of Oakland, California
- Dallas County
- The Belgian city of Antwerp
- American semiconductor supplier Microchip Technology
- Doughnut chain Krispy Kreme
As the threat landscape continues to evolve, organizations must remain vigilant and proactive in their cybersecurity measures to mitigate the risks posed by such sophisticated cybercriminal operations.
