#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
Zenith Live 2025

RaaS | Breaking Cybersecurity News | The Hacker News

Category — RaaS
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization

Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization

May 07, 2025 Ransomware / Endpoint Security
Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States. The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824 , a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by Microsoft last month. Play , also called Balloonfly and PlayCrypt, is known for its double extortion tactics, wherein sensitive data is exfiltrated prior to encryption in exchange for a ransom. It's active since at least mid-2022. In the activity observed by Symantec, the threat actors are said to have likely leveraged a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point, taking advantage of an as-yet-undetermined method to move to another Windows machine on the target network. The attack is notable for the use of Grixba , a bespoke information stealer previously attr...
Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks

Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks

Mar 27, 2025 Endpoint Security / Ransomware
A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa , BianLian , and Play . The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter , was first documented as used by RansomHub actors in August 2024. EDRKillShifter accomplishes its goals by means of a known tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints. The idea behind using such tools is to ensure the smooth execution of the ransomware encryptor without it being flagged by security solutions. "During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges," ESET researchers Jakub Souček and Jan Holman said in a report shared with The Hacker News. "...
Customer Account Takeovers: The Multi-Billion Dollar Problem You Don’t Know About

Customer Account Takeovers: The Multi-Billion Dollar Problem You Don't Know About

Apr 30, 2025Malware / Data Breach
Everyone has cybersecurity stories involving family members. Here's a relatively common one. The conversation usually goes something like this:  "The strangest thing happened to my streaming account. I got locked out of my account, so I had to change my password. When I logged back in, all my shows were gone. Everything was in Spanish and there were all these Spanish shows I've never seen before. Isn't that weird?" This is an example of an account takeover attack on a customer account. Typically what happens is that a streaming account is compromised, probably due to a weak and reused password, and access is resold as part of a common digital black market product, often advertised as something like "LIFETIME STREAMING SERVICE ACCOUNT - $4 USD." In the grand scheme of things, this is a relatively mild inconvenience for most customers. You can reset your credentials with a much stronger password, call your bank to issue a new credit card and be back to binge-watching The Crown i...
Expert Insights Articles Videos
Cybersecurity Resources