RaaS | Breaking Cybersecurity News | The Hacker News

Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States. The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824 , a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by Microsoft last month. Play , also called Balloonfly and PlayCrypt, is known for its double extortion tactics, wherein sensitive data is exfiltrated prior to encryption in exchange for a ransom. It's active since at least mid-2022. In the activity observed by Symantec, the threat actors are said to have likely leveraged a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point, taking advantage of an as-yet-undetermined method to move to another Windows machine on the target network. The attack is notable for the use of Grixba , a bespoke information stealer previously attr...

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa , BianLian , and Play . The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter , was first documented as used by RansomHub actors in August 2024. EDRKillShifter accomplishes its goals by means of a known tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints. The idea behind using such tools is to ensure the smooth execution of the ransomware encryptor without it being flagged by security solutions. "During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges," ESET researchers Jakub Souček and Jan Holman said in a report shared with The Hacker News. "...