Ransomware Gangs Exploit Flaws in Paragon Partition Driver
Posted inBlog

Ransomware Gangs Exploit Flaws in Paragon Partition Driver

No Comments

Five serious vulnerabilities have been discovered in the BioNTdrv.sys driver of Paragon Partition Manager by Microsoft, with one actively being exploited by ransomware groups in zero-day attacks to achieve SYSTEM rights on Windows endpoints. The vulnerabilities are exploited in ‘Bring Your Own Vulnerable Driver’ (BYOD) attacks with attackers installing the vulnerable driver on the compromised systems to escalate.

Under CERT/CC, a local device attacker can exploit these vulnerabilities for escalating privileges or a denial-of-service (DoS) condition on the victim machine. Furthermore, since the attack is via a Microsoft-signed driver, an attacker can use the BYOVD technique to target systems even in the absence of Paragon Partition Manager.

The BioNTdrv.sysdriver, which is a kernel-level driver, enables attackers to run commands with the same level of privileges as the driver, thus evading security controls and protective software. All five vulnerabilities were found by Microsoft researchers, pointing out that one of them, CVE-2025-0289, is currently being exploited by ransomware gangs. But the particular ransomware gangs that are exploiting this vulnerability as a zero-day have not been identified.

Microsoft’s alert reads, Microsoft has seen threat actors leveraging this vulnerability in BYOVD ransomware attacks, using CVE-2025-0289 in particular to gain privilege escalation to SYSTEM level and then run additional malicious code.

List of Paragon Partition Manager Defects Uncovered by Microsoft:

  1. CVE-2025-0288: This vulnerability is due to incorrect handling of the ‘memmove’ function, enabling attackers to write to kernel memory and gain privileges.

  2. CVE-2025-0287: Results from a lack of validation of a ‘MasterLrp’ structure in the input buffer, which allows for the execution of arbitrary kernel code because of a null pointer dereference.

  3. CVE-2025-0286: Is a result of invalid user-supplied data lengths validation, which resulted in arbitrary kernel memory write and arbitrary code execution.

  4. CVE-2025-0285: Is a result of the inability to validate user-supplied data, which enabled privilege escalation by altering kernel memory mappings.

  5. CVE-2025-0289: Is a case of insecure kernel resource access as a result of the inability to validate ‘MappedSystemVa’ before it was passed to ‘HalReturnToFirmware,’ which could have compromised system resources.

These flaws affect various Paragon Partition Manager versions, the first four hitting versions 7.9.1 and below, and CVE-2025-0289 hitting version 17 and below. Users are highly recommended to update to the current version, which features BioNTdrv.sysversion 2.0.0, remedying all the described vulnerabilities.

Even with these patches, users who do not have Paragon Partition Manager installed are not immune to such attacks. BYOD techniques do not rely on the software being on the target’s system. Rather, attackers can package the vulnerable driver with their own tools so that they can load it into Windows and gain elevated privileges.

Microsoft’s answers and recommendations:

To fight the risk of these weaknesses, Microsoft has changed its ‘weak driver blocking’ to prevent the driver from loading the driver in Windows. Users and organizations should ensure that this security mechanism is able to avoid potential attacks.

Follow these steps to confirm whether the blockage is capable:

  • Open settings.
  • Go to privacy and security.
  • Choose Windows Safety.
  • Choose device security.
  • Click core separation.
  • Make sure Microsoft -weak driver blockage setting is on.

For secure steps and systems:

  1. Regular software updates: Update the operating system and software with the latest updates and security patches. This minimizes the likelihood of exploitation of known vulnerabilities.

  2. Last woodpecker defense: Employ a robust and alternative defense mechanism that can identify and prevent the attempt to take advantage of vulnerabilities. These are antivirus and anti-malware software.

  3. User training: Educating trainers on the risk of downloading and running unidentified software or drivers. Focus on cyber awareness.

  4. Networking departments: Utilize network partitions to inspect the spread of an attack. This is accomplished by breaking up your network into small portions in order to quarantine any threat.

  5. General backup: Back up Normal data so you can restore it when you are attacked by Ransomware. Keep backup in a secure, except location.

  6. Event Response Plan: Regular review of an event response plan to handle security incidents in a timely manner. Do individuals know what they do during an attack!

Why ByVD attacks are so nefarious:

Byovd -attack is dangerous which targets vulnerabilities in the right, signed drivers. This becomes a problem for security conventional methods of detecting and thwarting such an attack. You are able to obtain security rescue and obtain elevated privileges on the compromised system with the use of an ordinary weak driver. From there he will be able to execute malicious code, install malicious software or even gain total access over the system.

Implications from the real world:

The exploitation of these drivers’ vulnerabilities has certain impacts on individuals and organizations. Because organizations stand to gain from data breaches, loss of funds and loss of reputation. Individuals face identity theft, loss of information and other individual security compromises. Individuals and organizations must be vigilant and adopt active steps to safeguard the system.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *