Ransomware Gangs Target Vulnerable Paragon Partition Driver

russia Mar 30, 2025

In a groundbreaking development, ransomware gangs are seizing a critical vulnerability in the Paragon Partition Manager’s BioNTdrv.sys driver to execute zero-day attacks. This exploitation, highlighted by Microsoft, underlies a serious cybersecurity threat affecting both community and commercial versions of the tool.

Unmasking the Paragon Partition Manager Flaw

Paragon Partition Manager, through its BioNTdrv.sys driver, is infamous for managing hard drive partitions with granted elevated privileges. Microsoft unearthed a series of vulnerabilities within this driver, notably the CVE-2025-0289, which ransomware syndicates have utilized to claim SYSTEM-level access—effectively heightening their attack prowess by leveraging permissions beyond typical administrator capabilities.

The implications are clear: attackers harness this vulnerability to manipulate device drivers, potentially triggering system crashes such as the infamous Blue Screen of Death (BSOD), as noted by CERT/CC’s advisory. Even in the absence of Paragon Partition Manager on systems, attackers can deploy the vulnerable driver via the BYOVD method – ‘Bring Your Own Vulnerable Driver’ – inducing unwanted access into compromised systems.

A Deep Dive into the Exploited Vulnerabilities

The discovered vulnerabilities within the Paragon Partition Manager include:

  • CVE-2025-0288: Fueled by a lack of input sanitation in the memmove function, this flaw facilitates arbitrary kernel memory writes contributing to privilege escalations.
  • CVE-2025-0287: Characterized by null pointer dereference due to missing MasterLrp structure validation, it grants paths to execute arbitrary kernel code, opening doors for privilege elevations.
  • CVE-2025-0286 and CVE-2025-0285: These vulnerabilities arise from improper validation of user-supplied data lengths, paving ways for attackers to plant arbitrary kernels and escalate privilege levels.

Microsoft and Paragon Software have promptly patched these vulnerabilities. Organizations should ensure swift updates to the latest BioNTdrv.sys versions and confirm the Windows Vulnerable Driver Blocklist is activated to fend off exploits targeting the backdated 1.3.0 and 1.5.1 driver versions for SYSTEM-level breaches.

As cyber threats escalate, the necessity for proactive defenses is more apparent than ever. Enterprises are urged to secure systems by reinforcing defenses against these vulnerabilities imposing severe security risks. These measures not only safeguard infrastructures but also mitigate potential data breaches that ransomware gangs are increasingly capitalizing on.

According to Security Affairs, cybersecurity experts emphasize the crucial role of timely patch management as part of a comprehensive security posture to combat these emerging threats.

Taking Steps Forward

For systems security practitioners and businesses, staying informed and adhering to industry best practices is imperative. The defensive measures entail:

  • Updating software to patched versions—like Paragon Partition Manager v2.0.0—and enabling Windows’ protective measures.
  • Proactively monitoring for unusual system behaviors indicating exploitation attempts.
  • Enhancing employee cybersecurity awareness to recognize potential threats promptly.

With the trajectories of vulnerabilities like those of Paragon Partition Manager’s BioNTdrv.sys driver, vigilance and robustness in cybersecurity frameworks remain of essence in thwarting sophisticated ransomware operations.

Tags

Recommended for you

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.