- Multiple ransomware groups seen abusing the error of the Windows Registration Archives System
- Among the abusers are Ransomexx and play
- The error is used to drop rear, encrypters and more
Notorious ransomware actors have been abusing zero day vulnerability in the common Windows registration file system to obtain system privileges and implement malware on destination devices, have confirmed multiple security researchers.
The zero -day defect was discovered and patching, as part of the Microsoft patch on April 2024 cumulative update.
Given a gravity score of 7.8/10 (high), it is traced as CVE-2025-29824, and is described as a use after the common Windows record file controller that allows authorized attackers to raise privileges locally.
The filtered chats
Microsoft was one of the first companies to sound the error alarm, saying that computer pirates are using it to direct it and real estate signatures in the United States, financial organizations in Venezuela, software firms in Spain and retail in Saudi Arabia.
The researchers said the error was used by a threat actor called Ransomexx, who used it to release the Pipemagic rear door and other malware, including an encrucador. However, Symantec also found Play, an infamous ransomware player, who uses the error to access an American goal.
“Although a ransomware payload was not deployed in the intrusion, the attackers deployed the infant of Grixba, which is a personalized tool associated with Balloonfly, the attackers behind the game ransomware operation,” Symantec explained in his report.
“Balloonfly is a group of cyber crimes that has been active since at least June 2022 and uses game ransomware (also known as PlayCrypt) in attacks.”
Play, also known as PlayCrypt, is a threat actor that emerged in mid -2022. In the first year and a half of its existence, he claimed approximately 300 victims, some of which were critical infrastructure organizations. At the end of 2023, the FBI, the CISA and other security agencies published a joint security notice, warning about the dangers raised by the game.
“Since June 2022, the work (also known as PlayCrypt) Ransomware Group has impacted a wide range of business and critical infrastructure in North America, South America and Europe,” said advice. “As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.”
Through Bleepingcomputer
