HQ/EMEAFind out how we can help your business
The Play ransomware group has taken advantage of a critical Windows Common Log File System flaw to execute zero-day attacks. Reports stated that the group could acquire SYSTEM privileges and deploy malware on affected systems throughout the operation.
This vulnerability, identified as CVE-2025-29824, was acknowledged by Microsoft as being exploited in a limited number of attacks and was mitigated during last month’s patch.
Microsoft reported in April that targets include IT and real estate firms in the U.S., a Spanish software business, the financial industry in Venezuela, and the retail sector in Saudi Arabia.
Microsoft attributed these incidents to the RansomEXX ransomware group, noting that attackers employed the PipeMagic backdoor malware to facilitate the CVE-2025-29824 exploit, deploy ransomware payloads, and issue ransom notes after file encryption.
Subsequently, a separate researcher uncovered additional connections to the Play ransomware-as-a-service operation, revealing that the attackers executed a CVE-2025-29824 zero-day privilege escalation exploit after infiltrating a U.S. organisation’s network.
However, these researchers explained that while no ransomware payload was installed during this breach, the Grixba infostealer—a custom tool linked to Balloonfly, the group behind Play ransomware—was deployed.
Different cybercriminal organisations have employed the Play ransomware.
Balloonfly has been active since at least June 2022 and employs the Play ransomware (also called PlayCrypt) in its operations. The Grixba tool, which scans networks and extracts information, was first identified two years ago.
Ransomware operators typically utilise this tool to gather details about users and computers within compromised networks. Emerging in June 2022, the Play cybercrime group is notorious for double-extortion attacks in which affiliates coerce victims to pay ransom to prevent the public release of stolen data.
A couple of years ago, multiple federal law enforcement agencies issued a joint warning that the Play ransomware group had compromised the networks of approximately 300 organisations globally by October 2023.
Notable past victims of Play ransomware include car retailer Arnold Clark, the City of Oakland in California, Dallas County, and, more recently, U.S. semiconductor provider Microchip Technology and doughnut chain Krispy Kreme.
