In a highly concerning development for cybersecurity experts and organizations worldwide, recent ransomware attacks have exploited a zero-day vulnerability in a Microsoft-signed driver from Paragon Software’s Paragon Partition Manager. The specific driver in question, BioNTdrv.sys, contains five vulnerabilities that pose significant threats. These vulnerabilities, particularly CVE-2025-0289, are being used in “bring your own vulnerable driver” (BYOVD) attacks. Such attacks leverage signed drivers to bypass traditional security measures, enabling attackers to perform highly malicious actions and penetrate otherwise secure systems. This alarming trend of exploiting Microsoft-signed drivers underscores the evolving sophistication of ransomware campaigns and demands urgent attention and action from both users and developers.
Exploiting Vulnerabilities for Malicious Gains
The CERT Coordination Center (CERT/CC) has released a detailed security advisory highlighting the severity of the threat posed by these vulnerabilities. According to this advisory, Microsoft has confirmed observing attackers utilizing these specific flaws to escalate their privileges to SYSTEM level. This privilege escalation empowers attackers to execute further malicious code, conduct Denial of Service (DoS) attacks, and effectively compromise the targeted systems. The vulnerabilities are particularly hazardous as they can affect Windows devices even in scenarios where Paragon Partition Manager is not installed. This means that just the presence of the vulnerable driver can result in critical security breaches, thereby exponentially increasing the attack surface for hackers.
In addition to CVE-2025-0289, other notable vulnerabilities within the BioNTdrv.sys driver include CVE-2025-0288 (arbitrary kernel memory vulnerability), CVE-2025-0287 (null pointer dereference), CVE-2025-0286 (arbitrary kernel memory write), and CVE-2025-0285 (arbitrary kernel memory mapping). Each of these vulnerabilities allows varying degrees of unauthorized access and manipulation of system resources, all detrimental to the security and functionality of the device. Microsoft identified these issues and collaborated with Paragon Software to address them. Patches and driver blocklists have been implemented to mitigate the associated risks. However, the persistence of such vulnerabilities indicates a need for continuous vigilance and rapid response mechanisms within cybersecurity frameworks to keep pace with emerging threats.
Growing Trend in Ransomware Campaigns
The current shift in ransomware campaigns exploiting vulnerable drivers is a stark reminder of the ever-evolving toolkit of cybercriminals. Examples such as RansomHub actors utilizing “EDRKillShifter” to exploit similar driver vulnerabilities are testament to this growing trend. By targeting signed drivers, attackers can evade endpoint detection systems and potentially disable security software, thereby undermining the very protections meant to safeguard digital environments. This technique provides attackers with a more covert and effective means to carry out their malicious objectives while remaining undetected for longer periods. Consequently, this increases the potential damage and impact of ransomware attacks on targeted entities.
Paragon Software responded promptly to the discovery of the driver vulnerabilities by issuing a patch, urging users to update their drivers to align with the latest Microsoft security guidelines. The CERT advisory has strongly recommended prompt user action to ensure systems are fortified against potential exploitation. It’s worth noting that while the advisory did not specify the ransomware types utilizing these particular vulnerabilities, the focus remains on the critical nature of these threats and the importance of preemptive measures. Both Paragon and Microsoft emphasize that keeping software and drivers updated is paramount to maintaining system integrity and resilience against cyber threats.
Importance of Prompt Updates and Security Measures
The CERT Coordination Center (CERT/CC) has issued a detailed security advisory emphasizing the critical threat posed by specific vulnerabilities. Microsoft has observed that attackers are using these flaws to gain SYSTEM level privileges. Such escalation allows attackers to execute malicious code, conduct Denial of Service (DoS) attacks, and compromise targeted systems. Even if Paragon Partition Manager is not installed, Windows devices remain at risk due to the vulnerable driver, broadening the potential attack surface.
Besides CVE-2025-0289, other significant vulnerabilities in the BioNTdrv.sys driver include CVE-2025-0288 (arbitrary kernel memory vulnerability), CVE-2025-0287 (null pointer dereference), CVE-2025-0286 (arbitrary kernel memory write), and CVE-2025-0285 (arbitrary kernel memory mapping). These vulnerabilities allow unauthorized access and manipulation of system resources, endangering device security. Microsoft, in collaboration with Paragon Software, has released patches and blocklists to mitigate these risks. Nonetheless, ongoing vigilance and quick response are essential to counter emerging cybersecurity threats effectively.
