Attackers couldn’t get enough of the vulnerabilities at their disposal last year, making exploits the top initial access vector across more than 22,000 breaches Verizon analyzed in its latest Data Breach Investigations Report released Tuesday.

The massive annual study uncovered a surge of exploited vulnerabilities during a one-year period ending in October 2025. Exploited defects accounted for 31% of all known initial access vectors, jumping from 20% the previous year. 

The uptick in exploited vulnerabilities is a reflection of the “sisyphean cause” of vulnerability management, researchers wrote in the report. “Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them.”

Organizations are struggling to keep up with the torrent of vulnerabilities affecting technology across their systems. This slide is especially worrisome, and declining, among defects in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.

Only 26% of the critical vulnerabilities in CISA’s catalog were fully remediated by more than 13,000 organizations Verizon studied in 2025, marking a drop from 38% the year prior. 

“There is also a worse result for the median time elapsed for a vulnerability to be fully patched by detection,” researchers wrote in the report. “Our new median time is 43 days, almost two weeks longer than last year’s 32 days.”

Verizon also noted that the median number of KEV vulnerabilities that organizations had to patch jumped from 11 in 2024 to 16 in 2025.

CISA’s KEV catalog contained more than 1,500 CVEs as of February, and 65% of those were exploited during the previous year, according to the report.

Verizon identified the five most common weaknesses of CISA KEV CVEs in its report as out-of-bounds read, heap-based buffer overflow, use after free, external control of file name or path and access of resource using incompatible type.

Attacker motivations remained relatively consistent last year, with financially-motivated cybercriminals accounting for 88% of all breaches. Espionage-driven attacks from state-affiliated groups made up the remainder.

“Ransomware continues to be among the most disruptive and impactful types of breaches we see. Not unlike the price of everything from fast food to adult beverages in ballparks, it continues to trend upward,” researchers wrote in the report.

Ransomware accounted for 48% of all breaches last year, up from 44% in 2024. Yet, Verizon observed some positive trends in ransomware as well.

Ransom payments continued to decline, with 69% of victims reporting they didn’t pay, and the median payment slid from $150,000 in 2024 to almost $140,000 last year.

Tracking ransomware remains a challenge for researchers and authorities. 

“There is a growing disconnect between what is being reported and the reality of what has occurred, in no small part due to threat actors reusing old breaches, reposting breaches from other criminal partners and making up breaches out of whole cloth to help increase their notoriety in the criminal world,” Verizon wrote in the report. “We’re beginning to think that these cybercriminals might not be entirely trustworthy.”

Yet, despite the lack of indisputable data on ransomware activity, researchers concluded: “Ransomware is still the yoga pants of cybersecurity — ubiquitous, stubbornly popular and appearing in unexpected places near you.”

The post Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches appeared first on CyberScoop.

A bipartisan pair of senators want a company that operates a tip line for anonymously reporting school safety concerns to answer questions about hackers compromising sensitive student information.

Sens. Maggie Hassan, D-N.H., and Jim Banks, R-Ind., announced on Monday they’d sent a letter to the firm, Navigate360, about last month’s incident.

“We write to express significant concern about the risks to students, staff, and schools from a recent cyberattack on your company’s P3 Global Intel tip line,” they said in the April 24 letter. “We are particularly concerned by reports that the cyberattack exploited platform vulnerabilities in order to steal students’ highly sensitive personally identifiable information. We urge you to provide the public clarity regarding what data was stolen, how Navigate360 is responding, and what safeguards Navigate360 will put into place to prevent this from happening again.”

According to the company, more than 30,000 schools and 5,000 public safety agencies use Navigate360’s products. Hackers claimed to purloin 93 gigabytes of data from the firm.

“Your company markets its product as an anonymous tip line,” Hassan and Banks said. “However, the personally identifiable information recently released by the hackers suggests otherwise. This puts the safety of students at risk and undermines public trust in using such platforms to report suspicious activity. Education and school safety experts have expressed concerns that, without guaranteed anonymity, students will choose not to report safety concerns.”

At the time of the alleged breach, Navigate360 CEO JP Guilbault said the company was working to determine if there was an incident and if there was, its extent. He did not confirm that sensitive information was released. The company did not immediately respond to a request for comment on the senators’ letter Monday.

A whopping 82% of K-12 schools said they experienced a cyber incident between July 2023 and December 2024, according to a report from the Center for Internet Security. The scale of cyberattacks on schools expanded during COVID-19. Hackers seeking student information usually have a financial motive, such as holding the information for ransom.

The hackers in the Navigate360 case were apparently motivated by hacktivism.

“Remember folks, don’t do the dirty work for the pigs,” they wrote. “Investigating crime is their job, not yours. They don’t care about you, they want convictions and prisoners to fuel the for-profit prisons.”

Hassan and Banks’ specific questions for Navigate360 included inquiries about its cybersecurity practices, what data was compromised, whether the tip line is fully anonymous and what kind of help the company has provided to school districts.

The post Senators seek answers about hackers obtaining sensitive student data from ostensibly anonymous tip line appeared first on CyberScoop.

A small group of former Black Basta affiliates have targeted more than 100 employees across dozens of organizations to intrude network systems for potential data theft, ransomware deployment and extortion, according to ReliaQuest.

The social engineering campaign, which involves mass email bombing and Microsoft Teams help desk impersonation, surged last month and dates back to at least May 2025, ReliaQuest said in a report Tuesday. 

Attackers have primarily targeted senior leadership to gain highly privileged access. “Roughly three-quarters of targeted users were executives, directors, managers or similarly high-value roles,” researchers who worked on the report told CyberScoop via email. 

Cybercriminals involved in Black Basta, an offshoot of Conti, scattered after the threat group’s internal chat logs leaked online in February 2025, providing threat researchers and authorities key details about the group’s operations. 

German police publicly identified Oleg Evgenievich Nefedov, a Russian national, as Black Basta’s alleged leader in January. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 

He is accused of extorting more than 100 companies in Germany and about 600 other countries globally.

ReliaQuest said the recently observed campaign shares many similarities with previous Black Basta activity and follows the same playbook — tooling, targeting and execution style — associated with the once-prolific ransomware group. 

“That includes the repeated use of remote access tools, a strong concentration in sectors Black Basta historically favored, and a level of speed and coordination that suggests experienced operators are building on a playbook they already know works,” researchers said. 

“We’re careful not to treat any one artifact as definitive proof, but taken together, the similarities are strong enough that we assess it is highly likely former affiliates or closely aligned operators are involved,” ReliaQuest researchers added. 

Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment. Threat hunters warned that former members were still actively targeting additional victims earlier this year. 

ReliaQuest released its report, including indicators of compromise, after it observed a particularly sharp spike in activity in March, noting that the group’s targeting was more focused on senior employees.

“The operators are moving very quickly, with parts of the workflow becoming more automated or highly streamlined, which makes the campaign easier to scale and harder for defenders to interrupt before remote access is established,” researchers said.

The top-five sectors targeted in recent Black Basta-style attacks include manufacturing, professional services, finance and insurance, construction and technology, according to ReliaQuest.

Attackers typically bombard targeted employees with hundreds of emails within minutes and then contact targeted users, posing at IT support via direct messages on Microsoft Teams or a phone call. ReliaQuest said it’s observed some attackers achieve remote access minutes after the first sign of an email bomb.

Researchers did not say how many organizations have been successfully intruded as a result of this campaign thus far. 

While extortion appears to be the most likely objective, ReliaQuest cautioned against assuming every attack results in ransomware encryption.

“Based on what we’ve observed, the intrusion chain is built to gain access quickly, understand the environment, and create options for follow-on monetization,” researchers said. “That could lead to data theft, extortion without encryption, or ransomware deployment, depending on the victim and the opportunity.”

The post Black Basta’s playbook lives on as former affiliates launch fast-scale intrusion campaign appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

A federal judge has sentenced the maker of stalkerware pcTattleTale, which went out of business after a data breach, to supervised release and a $5,000 fine.

Bryan Fleming pleaded guilty in January to a charge of intentionally manufacturing, possessing or selling a device with the knowledge that it would be primarily used for surreptitious interception of communications. On Friday, a judge handed down Fleming’s sentence.

It was the first stalkerware conviction since 2014, when the maker of StealthGenie, pled guilty and also didn’t serve prison time, instead receiving a $500,000 fine from the court.

According to Fleming’s plea agreement, his incriminating activity began as early as 2017, as the owner of Fleming Technologies LLC.

“Defendant’s software enabled buyers to covertly and remotely monitor a victim’s cellular telephone and computer activities, including, texts, emails, phone calls, geo-location, and web browsing,” the agreement states. “Defendant began directly advertising his spying software to persons wanting to spy on spouses or partners without their knowledge.”

It continued: “Defendant’s spying software covertly created a video every time a victim’s device was used, which captured any and all activity occurring on the device. The person monitoring the device could log into a remote dashboard and monitor the activity on the victim’s device.”

An undercover agent from Homeland Security Investigations, a division of U.S. Immigration and Customs Enforcement, posed as a marketing affiliate and customer to communicate with Fleming, according to a 2022 indictment.

pcTattletale went out of business in 2024 after suffering a data breach. Researchers have found that stalkerware apps often fail to protect personal information collected during their use.

An attorney for Fleming didn’t immediately respond to a request for comment Monday morning.

The post pcTattleTale stalkerware maker sentence includes fine, supervised release appeared first on CyberScoop.

SAN FRANCISCO — Mandiant is responding to a major, ongoing supply-chain attack involving the compromise of Trivy, a widely used open-source tool from Aqua Security that’s designed to find vulnerabilities and misconfigurations in code repositories.

The fallout from the attack spree, which was first detected March 19, is extensive and poses substantial risk for follow-on compromises and threatening extortion attempts. 

“We know over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat campaign,” Charles Carmakal, chief technology officer at Mandiant Consulting said during a threat briefing held in conjunction with the RSAC 2026 Conference. “That thousand-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000.”

Attackers stole a privileged access token and established a foothold in Trivy’s repository automation process by exploiting a misconfiguration in the tool’s GitHub Actions environment in late February, Aqua Security said in a blog post. 

On March 1, the company tried to block an ongoing breach by changing its credentials. They later realized the attempt failed, which allowed the attacker to stay in the system using valid logins. Attackers published malicious releases of Trivy on March 19.

“While this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply-chain attack that began weeks earlier,” Aqua Security said in the blog post.

By compromising the tool, attackers gained access to secrets for many organizations, Carmakal said. “There will likely be many other software packages, supply-chain attacks and a variety of other compromises as a result of what’s playing out right now.”

Mandiant expects widespread breach disclosures, follow-on attacks and a variety of downstream impacts to play out over the next several months. 

The attackers, which the incident response firm has yet to name, are collaborating with multiple threat groups mostly based in the United States, Canada and United Kingdom. These cybercriminals “are known for being exceptionally aggressive with their extortion,” Carmakal said. “They’re very loud, they’re very aggressive.”

Mandiant is still working to identify the root of the initial attack. “We can’t quite tell how those credentials were stolen, because it is our belief that those credentials were not stolen from that victim’s environment,” Carmakal said. 

The credentials were likely stolen from another cloud environment, a business process outsourcer, partner or the personal computer of an engineer, he added. 

Aqua said Sygnia, which is investigating the attack and assisting in remediation efforts, identified additional suspicious activity Sunday involving unauthorized changes and repository changes — activity that is consistent with the attacker’s previously observed behavior.

“This development suggests that the incident is part of an ongoing and evolving attack, with the threat actor reestablishing access. Our investigation is actively focused on validating that all access paths have been identified and fully closed,” the company said.

Aqua, in its latest update Tuesday, said it is continuing to revoke and rotate credentials across all environments and claimed there is still no indication its commercial products are affected. 

Many attackers are currently weaponizing access and likely targeting additional victims, yielding to potential extortion attempts and the compromise of additional software, Carmakal said. 

“It’s going to be a different outcome for a lot of different organizations,” he said. “This will be a very concentrated focus of the adversaries and their expansion group of partners that they’re collaborating with right now.”

The post Experts warn of a ‘loud and aggressive’ extortion wave following Trivy hack appeared first on CyberScoop.

A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday.

Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.

The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.

Curry used his access to the company’s network to remove corporate data for extortion while he worked for the company between August and December 2023. Immediately following his last day of employment with the company, Curry started sending threatening emails to its employees and demanded a ransom to not leak and destroy the data.

Officials said he sent more than 60 emails to various employees and executives over a six-week period, threatening to disclose the company’s payroll data, claiming it showed significant pay inequity across the workforce. In those emails, Curry framed the data theft extortion attack as an effort to implement salary transparency.

“Loot and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations on protected acts,” Curry wrote in one of the emails, according to the indictment.

Curry included attachments with the emails containing screenshot images of spreadsheets listing the personally identifiable information of company employees. Officials said he also warned the company he would provide employees instructions on how to address pay discrimination through mediation, the Equal Employment Opportunity Commission or a class-action lawsuit.

Some of the extortion emails got personal, including a claim that one person on the legal team wasn’t getting a bonus while most employees in high-level positions did receive bonuses. Curry also threatened to report the breach to the Securities and Exchange Commission, citing rules that require public companies to disclose cyberattacks quickly. 

The publicly traded company notified the FBI of the breach on Dec. 14, 2023 and paid Curry’s ransom demand almost a month later.

Multiple operational security mistakes helped authorities identify and build a case against Curry rather quickly. He used personal and verifiable data to establish a new Coinbase account, and two of the debit cards linked to the account Curry established to receive a ransom belonged to his mother and sister.

Authorities searched Curry’s apartment, digital devices and vehicle in Charlotte, North Carolina, just weeks after the ransom was paid. He was arrested and released on bond in late January 2024. 

Officials said Curry initiated his extortion scheme after he learned his contract with the company wouldn’t be renewed. He faces up to 12 years in prison at sentencing.

You can read the full indictment below.

The post North Carolina tech worker found guilty of insider attack netting $2.5M ransom appeared first on CyberScoop.