Play Ransomware, otherwise known as Balloonfly and PlayCrypt, has recently made headlines for its sophisticated double extortion methods. Microsoft Threat actors deploy a newly patched security vulnerability in Microsoft Windows at full scale to achieve greatest effect. The ransomware has been using a zero-day vulnerability they’re calling CVE-2025-29824. Investigators redflagged this vulnerability in the Music directory of all operating systems. It is the scope of this breach that has cybersecurity experts deeply alarmed. Play Ransomware has had a successful run against many different types of organizations, including one recently unnamed entity within the United States.
This ransomware is different. Its business model takes a 20% commission on every successful ransom payment. This crafty scheme allows its members to only return a paltry 80%. This lucrative model has helped Play Ransomware expand its reach and operational capacity since it first appeared in mid-2022. Today, the group’s organizing has moved beyond U.S. borders. Today, they are moving the needle for their counterpart retailers across the pond in the United Kingdom—from Harrods to Marks and Spencer.
Exploit Mechanism and Methodology
At first glance, Ransomware’s exploitation of CVE-2025-29824 is deeply worrying, mainly because of its delivery. The ransomware fakes belonging to a genuine Palo Alto Networks software, deceiving users into running malicious files. When the batch file “servtask.bat,LocalSvc” executes, it generates an entry that adds the user to the local Administrators group. That’s a huge step toward allowing for more pernicious, widespread infiltration into the system.
This new process is intended to allow for the injection of a DLL file named clssrv.inf into the critical winlogon.exe process. This malicious DLL has the ability to deploy other batch files, taking further control of the system’s integrity. According to Symantec, “During the execution of the exploit, two files are created in the path C:\ProgramData\SkyPDF,” underscoring the technical sophistication of this ransomware strain.
Having domain controllers as the group’s primary target is crucial to their strategy. Security studies indicate that “more than 78% of human-operated cyberattacks successfully breach a domain controller,” according to Microsoft. This alarming statistic underscores the threat of increased encryption and operational disruption when these critical systems are targeted.
Targeting Retail and Financial Sectors
Unlike ransomware which purposefully selects its victims with a clear strategy, it seeks to target entities that store vast troves of personally identifiable information (PII) and financial records. Many analysts have warned that retail organizations like the ones hit last week could be among the first attacked because they can’t avoid constantly processing new financial transactions. “Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions,” noted industry experts.
The ransomware’s affiliates profit from a full-service ransomware kit that features ransomware payloads, management dashboards, and white glove customer support. This infrastructure allows them to run those campaigns on their own branding, which increases their local appeal. For an added fee, they’re able to further improve their branding through a white-label option. As SentinelOne points out, “Under this model, DragonForce provides the infrastructure, malware, and ongoing support services while affiliates run campaigns under their own branding.”
The Broader Ransomware Landscape
The increasing frequency and audacity of ransomware groups such as Play have made times perilous for cybersecurity professionals. Security researcher Dov Lerner commented on this phenomenon, stating, “The proliferation of ransomware groups means that they are increasing faster than law enforcement can shut them down.” This past growth combined with targeting of the smaller organizations leads to greater risk for organizations of any size.
It wouldn’t be the first time that experts emphasized the need to harden the crown jewels—or domain controllers, in this case—from ransomware attacks. Aon researchers noted that “Bring Your Own Installer is a technique which can be used by threat actors to bypass EDR protection.” This highlights the unfortunate reality that it is imperative for all organizations to implement strong cyber hygiene practices and stay aware of their ever-changing environment.
As ransomware groups become increasingly more advanced in their tactics, techniques, and procedures, organizations need to work on the offensive to prevent possible attacks. The development of Play Ransomware is a good example of how these groups take advantage of gaps in vulnerabilities and exploit gaps in organizational defenses.