Microsoft signed a dodgy driver and now ransomware scum are exploiting it
(2025/03/04)
- Reference: 1741073290
- News link: https://www.theregister.co.uk/2025/03/04/paragon_partition_manager_ransomware_driver/
- Source link:
Ransomware crooks are exploiting a third-party Windows kernel-level driver used and provided by disk management tool Paragon Partition Manager.
Paragon Partition Manager is a software tool that allows users to create and manage partitions on a storage drive. It sports a Microsoft-approved, digitally signed kernel-level driver, BioNTdrv.sys, that the manager application uses for privileged low-level access to attached hard drives.
It turns out the .sys has security vulnerabilities that can be exploited by malware and rogue users already on the machine to gain SYSTEM-level control over the whole box. Miscreants can also include copies of the driver with their ransomware or manually deploy the .sys on compromised Windows computers to fully hijack the system; because the driver is signed and trusted by the operating system, it's allowed to run no problem.
[1]
"As the attack involves a Microsoft-signed driver, an attacker can leverage a Bring Your Own Vulnerable Driver ( [2]BYOVD ) technique to exploit systems even if Paragon Partition Manager is not installed," as the CERT Coordination Center (CERT/CC) in the US put it in a [3]warning late last week.
[4]
[5]
According to CERT/CC, one of the five now-fixed security flaws in Paragon Partition Manager's BioNTdrv.sys driver has been abused in the wild by ransomware miscreants. The five vulnerabilities, none of which have been assigned CVSS ratings, are:
[6]CVE-2025-0288 : An arbitrary kernel memory vulnerability in Paragon Partition Manager version 7.9.1 that can be abused to write to arbitrary kernel memory and achieve privilege escalation.
[7]CVE-2025-0287 : A null pointer dereference vulnerability in version 7.9.1 that allows an attacker to execute arbitrary kernel code and achieve privilege escalation.
[8]CVE-2025-0286 : An arbitrary kernel memory write vulnerability in version 7.9.1 that can lead to arbitrary code execution.
[9]CVE-2025-0285 : An arbitrary kernel memory mapping vulnerability in version 7.9.1 that can be exploited to escalate privileges.
[10]CVE-2025-0289 : An insecure kernel resource access vulnerability in Paragon Partition Manager version 17 that basically allows for privileged code execution via an unvalidated attacker-controlled pointer.
Microsoft found and reported all five bugs to Paragon Software, we're told, and according to the CERT/CC warning, CVE-2025-0289 is the flaw specifically used in the observed BYOVD-based ransomware attacks. What will happen is that someone is able to get the .sys file and some other malicious code running on a victim's Windows computer, and then use the driver to gain top privileges to complete the takeover.
[11]How fiends abuse an out-of-date Microsoft Windows driver to infect victims
[12]Malicious Microsoft-signed Windows drivers wielded in cyberattacks
[13]Ransomware criminals love CISA's KEV list – and that's a bug, not a feature
[14]Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators
Paragon Software has released a new driver, BioNTdrv.sys version 2.0.0, which fixes these flaws. Vulnerable versions of the driver have been added to [15]Microsoft's Vulnerable Driver Blocklist so that the OS no longer trusts the buggy driver if it shows up in a BYOVD-based infection. Windows 11 devices enable this blocklist by default.
Neither Paragon nor Microsoft immediately responded to The Register 's inquiries, including those about the scope of the observed exploitation. We will update this story if and when we receive a response. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/ransomwareinfocus&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8bdVFpb01qdnHHrD3Ns6wAAAck&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985
[3] https://kb.cert.org/vuls/id/726882
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/ransomwareinfocus&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8bdVFpb01qdnHHrD3Ns6wAAAck&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/ransomwareinfocus&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8bdVFpb01qdnHHrD3Ns6wAAAck&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0288
[7] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0287
[8] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0286
[9] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0285
[10] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0289
[11] https://www.theregister.com/2023/04/24/microsoft_windows_driver_aukill_ransomware/
[12] https://www.theregister.com/2022/12/14/microsoft_drivers_ransomware_attacks/
[13] https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/
[14] https://www.theregister.com/2025/02/28/microsoft_names_and_shames_4/
[15] https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
[16] https://whitepapers.theregister.com/
Paragon Partition Manager is a software tool that allows users to create and manage partitions on a storage drive. It sports a Microsoft-approved, digitally signed kernel-level driver, BioNTdrv.sys, that the manager application uses for privileged low-level access to attached hard drives.
It turns out the .sys has security vulnerabilities that can be exploited by malware and rogue users already on the machine to gain SYSTEM-level control over the whole box. Miscreants can also include copies of the driver with their ransomware or manually deploy the .sys on compromised Windows computers to fully hijack the system; because the driver is signed and trusted by the operating system, it's allowed to run no problem.
[1]
"As the attack involves a Microsoft-signed driver, an attacker can leverage a Bring Your Own Vulnerable Driver ( [2]BYOVD ) technique to exploit systems even if Paragon Partition Manager is not installed," as the CERT Coordination Center (CERT/CC) in the US put it in a [3]warning late last week.
[4]
[5]
According to CERT/CC, one of the five now-fixed security flaws in Paragon Partition Manager's BioNTdrv.sys driver has been abused in the wild by ransomware miscreants. The five vulnerabilities, none of which have been assigned CVSS ratings, are:
[6]CVE-2025-0288 : An arbitrary kernel memory vulnerability in Paragon Partition Manager version 7.9.1 that can be abused to write to arbitrary kernel memory and achieve privilege escalation.
[7]CVE-2025-0287 : A null pointer dereference vulnerability in version 7.9.1 that allows an attacker to execute arbitrary kernel code and achieve privilege escalation.
[8]CVE-2025-0286 : An arbitrary kernel memory write vulnerability in version 7.9.1 that can lead to arbitrary code execution.
[9]CVE-2025-0285 : An arbitrary kernel memory mapping vulnerability in version 7.9.1 that can be exploited to escalate privileges.
[10]CVE-2025-0289 : An insecure kernel resource access vulnerability in Paragon Partition Manager version 17 that basically allows for privileged code execution via an unvalidated attacker-controlled pointer.
Microsoft found and reported all five bugs to Paragon Software, we're told, and according to the CERT/CC warning, CVE-2025-0289 is the flaw specifically used in the observed BYOVD-based ransomware attacks. What will happen is that someone is able to get the .sys file and some other malicious code running on a victim's Windows computer, and then use the driver to gain top privileges to complete the takeover.
[11]How fiends abuse an out-of-date Microsoft Windows driver to infect victims
[12]Malicious Microsoft-signed Windows drivers wielded in cyberattacks
[13]Ransomware criminals love CISA's KEV list – and that's a bug, not a feature
[14]Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators
Paragon Software has released a new driver, BioNTdrv.sys version 2.0.0, which fixes these flaws. Vulnerable versions of the driver have been added to [15]Microsoft's Vulnerable Driver Blocklist so that the OS no longer trusts the buggy driver if it shows up in a BYOVD-based infection. Windows 11 devices enable this blocklist by default.
Neither Paragon nor Microsoft immediately responded to The Register 's inquiries, including those about the scope of the observed exploitation. We will update this story if and when we receive a response. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/ransomwareinfocus&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8bdVFpb01qdnHHrD3Ns6wAAAck&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985
[3] https://kb.cert.org/vuls/id/726882
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/ransomwareinfocus&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8bdVFpb01qdnHHrD3Ns6wAAAck&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/ransomwareinfocus&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8bdVFpb01qdnHHrD3Ns6wAAAck&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0288
[7] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0287
[8] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0286
[9] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0285
[10] https://www.cve.org/CVERecord/SearchResults?query=CVE-2025-0289
[11] https://www.theregister.com/2023/04/24/microsoft_windows_driver_aukill_ransomware/
[12] https://www.theregister.com/2022/12/14/microsoft_drivers_ransomware_attacks/
[13] https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/
[14] https://www.theregister.com/2025/02/28/microsoft_names_and_shames_4/
[15] https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
[16] https://whitepapers.theregister.com/
Re: Legacy code strikes again!
Will Godfrey
Nice idea, but this would hit small companies really hard. The big ones would simply restructure, move contentious code to new entities and sell them off, thus absolving themselves of any future responsibility.
Always Right Mostly
If only there were processes and tools to test code before signing and shipping it.
Will Godfrey
There are plenty of "tools" - mostly in upper management.
Didn't Paragon donate this code to the Linux kernel ntfs3 driver?
Bebu sa Ware
Just asking.
Re: Didn't Paragon donate this code to the Linux kernel ntfs3 driver?
doublelayer
They donated code to that, but I see no evidence that it was this code, and it seems quite unlikely that it was because Windows already has an NTFS driver. The Partition Manager software that this appears to be part of is a distinct product. If this had been, for example, Paragon's NTFS for Mac OS software, then I'd be more worried that a similar bug could affect Linux, although even then the most sensitive code would likely be OS-specific.
Legacy code strikes again!
This is almost certainly code that was written in the late 90s or early 2000s, and has just sat there ever since.
"It works, so why change it" is fine for code in userland applications that won't hold sensitive data, but not for kernel code like this. (Or for some kinds of userland apps.)
So how do we get companies to audit their old code?
In the case of kernel-mode drivers, I suggest that Microsoft make signing the driver a contract. If the driver has a security flaw, then the cost to Microsoft of investigating and mitigating the flaw will be borne by the supplier. Plus a penalty fine per vulnerability if they're common types (buffer overflow, pointer misuse).
Only by introducing some kind of fiscal penalty will the audit of old code suddenly become fiscally viable, which is what we need.