Security

How a Zero-Day Ransomware Threat Exploited Windows CLFS to Hijack Systems Globally

tuffbrownboy


Ransom notes deployed in the attacks

Overview of the RansomEXX Ransomware Exploit

Microsoft has recently identified a significant security breach wherein the notorious RansomEXX ransomware gang exploited a severe zero-day vulnerability within the Windows Common Log File System. This flaw allowed the attackers to escalate their privileges to SYSTEM level on affected computers.

Details of the Vulnerability

The vulnerability, known as CVE-2025-29824, was effectively addressed in the latest Patch Tuesday security update. Prior to this, it had been exploited in only a handful of incidents. The flaw is attributed to a use-after-free error that permitted local assailants, with minimal rights, to elevate their privileges without necessitating user interaction.

Impacted Windows Versions and Patches

While updates have been rolled out for several Windows versions, patches for Windows 10 x64 and 32-bit editions are still pending, with a release scheduled imminently.

Affected Sectors and Geographic Impact

According to Microsoft, the exploitation targeted key sectors across multiple regions:

  • IT and real estate sectors in the USA
  • Financial sector in Venezuela
  • A major software firm in Spain
  • Retail sector in Saudi Arabia

Additional Insights on the Attack Vector

The attackers leveraged the PipeMagic backdoor malware, which facilitated the deployment of the CVE-2025-29824 exploit along with the ransomware payloads and encrypted file ransom notes.

RansomEXX ransom note
Example of RansomEXX ransom note (source: BleepingComputer)

Broader Application of PipeMagic Backdoor

As documented by ESET, the PipeMagic backdoor has also been implicated in deploying exploits like the CVE-2025-24983 targeting the Windows Win32 Kernel Subsystem since March 2023. Recognized by Kaspersky in 2022, this malware can harvest sensitive information, allow full remote system access, and facilitate further malicious activities within victim networks.

Rising Threat from RansomEXX

Initially known as Defray, the ransomware operation was rebranded to RansomEXX and intensified its activities from June 2020. This group has targeted numerous high-profile entities including GIGABYTE, Konica Minolta, Texas Department of Transportation, Brazil’s court system, Montreal’s STM public transport system, and Tyler Technologies.

Immediate Recommendations

Microsoft urges all affected users to apply the security updates promptly to mitigate risks associated with this vulnerability, especially those not impacting Windows 11, version 24H2, where this specific exploit was not observed.

Related: Alarming Discovery: Over 150,000 Treasury Emails Compromised in Prolonged Cyberattack

Last Updated: April 8, 2025

Post Views: 22

Related Posts