Federal Chief Information Officer Greg Barbaccia said Tuesday the government is approaching Anthropic’s Mythos model with measured expectations, acknowledging both its potential to strengthen federal cyber defenses and the significant uncertainties that remain about how it would perform in real-world conditions.

Barbaccia said his direct exposure to Mythos has been limited to evaluations and benchmarking tests, and that no federal agencies have deployed it yet. While he says the Office of the National Cyber Director is coordinating the government’s approach, his broader assessment of where AI-assisted cybersecurity is heading was direct.

“We’re going to get to a world soon where AI defense will be able to catch up,” Barbaccia told CyberScoop on Tuesday at the Workday Federal Forum, produced by Scoop News Group. “We must get to a point where the bots are finding the bots.”

Earlier this month, Barbaccia sent an email to cabinet agencies to inform them that the Office of Management and Budget has started laying the groundwork for a controlled rollout of the model to federal agencies.

His framing reflects a view that the same capabilities making Mythos a potential offensive threat are precisely what make it valuable as a defensive tool. Anthropic has said the model identified thousands of previously unknown, high-severity vulnerabilities across major operating systems and web browsers during testing, many of them decades old. The question for federal security teams is not whether those capabilities are real, but whether they translate from controlled laboratory settings to the complex, defended networks that government agencies actually run.

Barbaccia was candid about that gap. 

“I think it’ll uplevel people and make a novice cybersecurity offensive operator more efficient,” he told CyberScoop. “But the jury is still out on how effective it’ll be against real-world conditions, meaning a network that’s guarded by human defenders that has alerting and things like that. The evaluations I’ve seen have been laboratory learnings.”

That distinction matters for federal security teams weighing how to think about the model. Finding a vulnerability and successfully exploiting it in a defended environment are different problems. Barbaccia pointed to the CVE catalog, the government’s running list of known software flaws, as one area where the model’s speed could have practical value. A human analyst working through that catalog would take considerable time. A model like Mythos could move through it far faster. But speed alone does not determine whether a vulnerability poses an actual threat.

“There’s a difference between something that is exploitable in a 4-nanosecond window during a BIOS boot versus what’s the reality of that being exploited in the real world,” he said. “We have to understand, just like you could secure your entire threat surface, where are the crown jewels? And how do you protect something, and make sure the protection you’re deploying is worthwhile what you’re protecting.”

That kind of thinking is familiar to federal network defenders, who operate under resource constraints and must triage which vulnerabilities to address first. What Mythos potentially changes is the speed at which that triage can happen, and the depth at which vulnerabilities can be identified before an adversary finds them.

Barbaccia said the CIO Council, which coordinates technology policy across civilian agencies, is still in the early stages of understanding what the model could mean for enterprise security environments. “Everybody’s just curious to learn a lot more,” he said.

Agencies have tried on their own to obtain access to Anthropic’s model. The Department of the Treasury has asked for access, according to reports. CISA, the agency responsible for securing, monitoring, and defending civilian agency networks, has not been granted access.

The post Federal CIO cautious on Anthropic’s Mythos despite planned rollout appeared first on CyberScoop.

Lawmakers at a hearing Tuesday explored ways to beef up punishments for ransomware attacks against hospitals, possibly by labeling them as more severe crimes.

One proposal floated at the House Homeland Security Committee hearing, to treat ransomware attacks as terrorism, is an idea Congress has flirted with before. Another would be to press prosecutors to pursue homicide charges in attacks on hospitals where death resulted — something German authorities also once pondered.

A former top FBI cyber official, Cynthia Kaiser, put forward both ideas at the hearing, a joint meeting of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection on cybercrime, drawing questions and interest from members.

“I believe there are no penalties too severe for individuals that would target our health care system,” said Mississippi Rep. Michael Guest, chair of the border subcommittee, whose home state of Mississippi’s health care clinics closed following a February ransomware attack.

The suggestions stem from a growing focus by ransomware attackers on the health care sector, with incidents doubling from 238 in 2024 to 460 in 2025 according to FBI statistics, making it the top targeted sector.

Kaiser, now senior vice of the Halcyon ransomware research center, said terrorism designations from the State, Treasury and Justice departments could lead to further sanctions, restricted travel and other punishments. Justice Department guidance on homicide charges could clarify its authorities, she said.

“It sounds like the language is there, it just has not been applied in these circumstances,” said Rep. Lou Correa of California, the top Democrat on Guest’s subpanel.

The notion of more closely entwining cyberattacks and terrorism is something both Congress and the executive branch have examined recently.

The fiscal 2025 Senate intelligence authorization bill would have directly linked ransomware to terrorism, although the final version of the bill that became law was less explicit than the original Senate language. The Treasury Department last month asked for public feedback on changing a terrorism risk insurance program to address cyber-related losses.

A University of Minnesota study from 2023 estimated that hospital ransomware attacks were responsible for dozens of deaths of Medicare patients. German authorities in 2020 opened a negligent homicide investigation following a death in the aftermath of a ransomware attack, but ultimately decided against charges.

The Trump administration’s national cyber strategy advocates for taking a more offensive approach to hackers. It released an executive order on cybercrime and fraud the same day it published the strategy. Kaiser said the proposals are in line with those approaches.

Hackers know their attacks could end lives, she said. “They have simply decided these deaths are someone else’s problem,” Kaiser said.

The post Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks appeared first on CyberScoop.

The Treasury Department is soliciting public feedback on whether it should change a terrorism risk insurance program to address cyber-related losses.

In a Federal Register notice set for publication Wednesday, Treasury seeks comment from the public for a mandatory report it must deliver to Congress this summer on the effectiveness of the terrorism risk insurance program (TRIP) created by the 2002 Terrorism Risk Insurance Act. That law arose from the Sept. 11 terror attacks and provided a federal backstop to make terrorism risk insurance more available and affordable.

Some experts have suggested that the cyber insurance industry should also get a federal backstop as the industry struggles to develop fully. With the law set to expire at the end of 2027, tying it to the reauthorization of the terrorism risk insurance law could be one way to get Congress to create such a cyber backstop.

Among the topics Treasury hopes commenters will address before it sends the report to Congress in June is the interaction between the terrorism risk insurance law and program, and cybersecurity. The agency will accept comments until May 8.

That includes: “Any potential changes to TRIA or TRIP that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including, but not limited to the potential modification of the lines of insurance covered by TRIP and revisions to any of the current sharing mechanisms for cyber-related losses, such as, for example, the individual insurer deductible or the federal share percentage.”

In 2021, Treasury issued a rule making it clear that TRIP could cover cyber losses when written in a TRIP-eligible line of insurance. However, a Government Accountability Office report last year outlined some of the limitations there.

“Because TRIA was designed specifically as a federal backstop for losses from acts of terrorism, only losses from cyberattacks certified by Treasury as acts of terrorism would have TRIA coverage,” it states. “As a result, even large cyberattacks that result in catastrophic losses would not be covered under TRIA if they were not certified as acts of terrorism.”

Treasury said in its Federal Register notice that it wants feedback on cyber-related terrorism losses within TRIP and losses outside of it.

Cyberattacks would need to meet definitions under the terrorism risk insurance law to be certified. They need to be violent or otherwise dangerous to life, property or infrastructure, and designed to influence the U.S. population or government. Damage to U.S. organizations outside the United States still might not qualify.

Medical device maker Stryker recently suffered a wiper attack, with the pro-Palestinian, Iranian government-linked group Handala taking credit. It said the attack was in retaliation for U.S. and Israel military strikes against Iran, specifically a U.S. missile strike on a school that killed 175 people, according to Iran’s government.

The post Treasury asks whether terrorism risk insurance program should bolster cyber coverage appeared first on CyberScoop.

An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.

Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.

Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.

Additionally, Operation Zero was one of two zero-day brokerages sanctioned by the U.S. Treasury in a separate announcement made Tuesday.

Prosecutors said Williams used his access at Trenchant over roughly three years to obtain proprietary materials and entered into several deals with the broker, receiving payments in cryptocurrency. Officials said he used proceeds to buy luxury items. The Justice Department has estimated the theft caused $35 million in losses to the contractor, while prosecutors said Williams earned $1.3 million tied to the sales and should be ordered to pay that amount in restitution. 

Williams’ background added another layer noted in court. Prosecutors said he previously served in the Australian Signals Directorate, Australia’s foreign signals intelligence agency. Trenchant’s origins are also part of the record: it was formed after L3Harris acquired Azimuth Security and Linchpin Labs, Australian firms associated with exploit development.

Neither Trenchant nor L3Harris is accused of wrongdoing in the criminal case. 

A hearing for further restitution related to the $35 million in losses is scheduled for May.

The post Ex-L3Harris executive sentenced to 87 months in prison for selling zero-day exploits to Russian broker appeared first on CyberScoop.

Ransomware negotiation is a dark but widely acknowledged reality in the cybersecurity industry — one that many argue is a necessary practice, even if it largely occurs out of sight. Brokering payments and terms with cybercriminals who hold organizations’ data and operations hostage places security professionals in a fraught position that requires them to balance a responsibility to meet their clients’ needs without fueling the spread of financially-motivated crime.

The pitfalls of ransomware negotiation are excessive — pinning the goals of cybercrime against victims and incident response firms that typically face no good options. Negotiators are charged with ensuring their clients don’t break any laws by financially supporting sanctioned criminals, but they also have to consider the lines they won’t cross without betraying their moral compass.

These backchannel negotiations can go awry for various reasons. Many people involved in ransomware negotiation prefer to share very little about what transpires in these discussions, a decision that ensures the terms of ransomware payments remain largely unscrutinized. 

Yet, many security companies and professionals spoke to CyberScoop about the challenges and benefits of ransomware negotiation after two of their own became turncoats. The former incident responders, Ryan Clifford Goldberg and Kevin Tyler Martin, were moonlighting as ransomware operators and pleaded guilty last month to a series of ransomware attacks in 2023.

“There’s no structured community of practice, no peer review, and no recognized body to certify or hold negotiators accountable,” Jon DiMaggio, principal at XFIL Cyber, told CyberScoop. “It’s one of the few areas of cybersecurity with no real standards, an unregulated tradecraft that still operates like the Wild West.”

This uneven approach manifests across the landscape, particularly among the top incident response firms, which have varying levels of comfort with ransomware negotiations. CrowdStrike and Mandiant draw a firm line, refraining from providing ransomware negotiation services to clients. 

If a client is considering paying a ransomware group, Mandiant will explain the options and let the client decide. The Google-owned company will also share what it knows about the group’s reputation for honoring terms and provide a list of third-party vendors that specialize in ransomware negotiation.

Adam Meyers, head of counter adversary operations at CrowdStrike, is firmly in the don’t-pay-ransoms camp. But he, too, recognizes it’s not always that simple. 

“No good comes from paying them,” but sometimes in extreme cases when the choice is between a business’s downfall or potentially putting the people you serve at risk of significant harm, victims don’t have a choice but to pay the ransom, Meyers said.

Palo Alto Networks Unit 42 takes things to the finish line, but stops before payment. “The boundary for us is we don’t perform ransomware payments. That’s actually an intentional decision on our end to separate those out,” Steve Elovitz, vice president of consulting at Unit 42, told CyberScoop.

“We will perform negotiations when requested by our clients, but we will not perform the payments,” he added. “There’s the complexity side of it, but there’s also just the moral side of it — not wanting to be involved, really, in the transaction itself.”

The red lines in ransomware response — viewing stolen or illegal data on dark web forums, collecting that information, engaging with cybercriminals, negotiating and, ultimately, submitting payment — can push those involved beyond their comfort zones, said Sean Nikkel, lead cyber intelligence analyst at Bitdefender.

Lack of transparency engenders isolation

These self-imposed limits highlight how secretive ransomware negotiations tend to be, which creates a vacuum in which criminals thrive, DiMaggio said. 

“The lack of transparency isolates everyone,” he said. “Victims don’t know what’s normal or fair, law enforcement is often left guessing, and the criminals use that silence to control the narrative and drive up their prices.”

Nikkel asserts some secrecy is necessary, yet ransomware negotiators are “operating without a license and it kind of freaks me out a little bit,” he said.

Professional certifications exist for many lines of intelligence work, but there’s nothing for ransomware negotiation, he added.

DiMaggio, who has infiltrated ransomware groups to investigate their operations, dox their leaders and chronicle stories that would otherwise go untold, said victim organizations constantly make the same mistakes because lessons from these attacks are rarely shared. 

“Until the industry finds a responsible way to collect and analyze anonymized negotiation data, we’ll keep fighting each case in the dark,” he said. “Transparency isn’t about shaming victims — it’s about denying criminals the advantage of secrecy.”

Open sharing of ransomware negotiations is a non-starter for many important reasons, experts said. These communications contain privileged information that could tip attackers off to counterstrategies or empower them with information they can use as leverage to further compromise victims. 

“It would be difficult to do that in a way that doesn’t compromise the practice,” said Kurtis Minder, the co-founder and former CEO of GroupSense who published a book in July about his experiences as a ransomware negotiator.

Cynthia Kaiser, who joined Halcyon’s ransomware research center as senior vice president after 20 years with the FBI, shares that view. 

“You don’t want to do anything that re-victimizes the victim,” she said. “If that information goes out, that should be their choice.”

The “darkness” about negotiations doesn’t merit the same emphasis as the need to better understand “how insidious and gross all these ransomware attacks are, and who they’re attacking,” Kaiser added. 

“That’s the only way we can really grapple with the actual extent of the threat, and that’s not happening right now,” she said. “That information doesn’t get out there enough.”

Key negotiation skills and considerations

Minder got pulled into his first ransomware negotiation in 2019 by accident and against his best intentions. “Somewhat reluctantly, I agreed to do more and then it sort of snowballed on us,” he said. “We didn’t really want to do this.”

Since then, Minder has been involved in hundreds of ransomware negotiations for major companies and small businesses who he volunteered to help in his personal time. 

There is no litmus test for what makes a good negotiator, but soft skills and emotional intelligence are critical, he said. 

“Empathy is one of the most important things,” Minder added. “Not sympathy — empathy — being able to effectively put yourself in the bad guys’ shoes is super powerful.”

As ransomware attacks have grown, so too has the mixed motivations of attackers attempting to extort victims for payment. 

Attacker volatility has increased in the past four years and complicated the considerations negotiators must heed in their response, said Lizzie Cookson, senior director of incident response at Coveware by Veeam. 

Some attackers are “eager to get paid, but they’re also in it for the notoriety, for the bragging rights, for the media attention,” said Cookson, who’s worked as ransomware negotiator for more than a decade. “That’s where we start to encounter more concerning behavior — more hostility, threat actors threatening violence, making threats against people’s family members.”

These cases, which occur much more often now, are more likely to result in broken promises — data leaks after a ransom was paid to avoid such an outcome or follow-on extortion demands, she said.

Indeed, cybercriminals consistently pull new threads to amplify the pressure they place on victims. This includes elements of physical extortion wherein ransomware groups call and threaten executives, claiming they know where the executives’ kids go to school, where they live and how they get to work, said Flashpoint CEO Josh Lefkowitz.

These threats put business leaders in precarious, unexpected positions that challenge their preconceived notions about how they’d respond to a cyberattack, Lefkowitz said. 

Ransomware negotiation requires practitioners to navigate between doing what’s necessary and what’s right, DiMaggio said. “The key is to treat every negotiation as a crisis with human consequences, not just a transaction.”

Negotiators reflect on previous cases

Ransomware negotiators tend to run through common checklists based on patterns they’ve experienced, but each incident is unique and requires some level of improvisation. 

Matt Dowling, senior director of digital forensic and incident response at Surefire Cyber, said ransomware operators, on the whole, are more trustworthy now than when he first got involved in negotiations in 2019. The practice, he said, has also improved because threat intelligence is more useful, making negotiations a data- driven effort.

Dowling separates ransomware operators into two groups: named and unnamed. Named groups are more trustworthy because they have a reputation to uphold, while unnamed groups are more likely to re-extort victims and deviate from the standards of ransomware negotiation, such as not providing proof of their claims.

Still, he said, most payments result in positive outcomes for the victims. The lowest payment Dowling has facilitated came in around $6,000, and the largest was about $8 million, he said. 

Some negotiations end abruptly without further incident. These cases typically involve charities or non-profits, according to Minder.

One case he worked on involved a charity that provided free screenings for breast cancer. In that incident, he simply asked the attackers: “Why are you doing this? These people don’t have any extra money.”

The attackers walked away after the organization agreed to pay a $5,000 ransom to cover what the ransomware group claimed amounted to costs it incurred to conduct the attack — a significant discount from their initial demand of $2 million.

When cases involving data extortion come to a close, negotiators will ask for proof the data was deleted, which is impossible to confirm. Some attackers, who are especially proud of their work will provide detailed reports about how they gained access — information that helps the victim and incident responders understand how and what occurred. 

Experts said the number of people involved in ransomware negotiations can be quite large when lawyers, insurance providers and law enforcement is involved. The duration of these back-and-forth compromises can last for a couple hours or up to three months.

Tactics define process for negotiation

Negotiators also employ generally similar strategies to achieve their client’s objectives at the lowest possible payment.

Threat intelligence on ransomware groups can guide negotiators toward a more gentle or aggressive approach, but in all cases “the threat actor, at the outset, has all the leverage,” Dowling said. 

“The leverage that you have is the threat actor wants to get paid. The only way they’re going to get paid is if you come to an agreement,” he added. 

Every ransomware negotiator CyberScoop spoke with remarked on the importance of delay. “Time is always our friend,” Cookson said. “Every day that passes after the initial incident is an opportunity for us to get more visibility so that they can make those decisions with a lot more confidence and make those decisions based on actual data, not based on fear and emotion.”

Initial outreach from negotiators working on behalf of a victim should be short and simple, allowing attackers to do most of the talking up front, Minder said. Negotiators should also avoid discussion of any financial numbers or positional bargaining as long as possible, he said.

Cursing or adopting combative language is a hard no-no for Minder as well. “There are ways to convey disappointment in the messages that aren’t fighting words,” he said. “They’re humans. They have egos, so you have to keep that in mind.”

Delay tactics are designed to get the attackers to question their own demand before the negotiator ever puts a number in writing, Minder said. 

Moreover, it’s not just about the money — ransomware operators are seeking validation, and a sense that they’re in control and winning, he said.

The worst outcomes involve victims that rush to make a payment, assuming that will make all the pain go away, Cookson said. 

Financial incentives present ethical challenges

Ransomware is a thriving criminal enterprise, amounting to a combined $2.1 billion in payments during the three-year period ending in December 2024 and about 3,000 total attacks in 2023 and 2024, according to the Treasury Department’s Financial Crimes Enforcement Network.

Businesses, of course, see opportunity in all of that activity and boutique firms have assembled teams to support victim organizations by engaging in ransomware negotiations on their behalf in the wake of attacks. 

This ancillary industry fosters additional ethical challenges, especially when there’s a built-in financial incentive for ransomware negotiations to occur and, in some cases, result in payments.

A general lack of transparency in billing puts the practices of some of these firms under heavier scrutiny. Some firms charge a flat fee or hourly rate, while others use a contingency model based on the percentage of the ransom reduction they’re able to achieve, DiMaggio said. 

“It’s not the norm across the industry, but it happens, and it introduces a clear conflict of interest,” he added. “When a negotiator’s income depends on the ransom outcome, it blurs the line between representing the victim and profiting from the crime.”

While some ransomware negotiation providers do, indeed, charge a small percentage off the ransom payment, victim organizations should avoid hiring any firm that employs that model, Elovitz said. 

“If you’re making a percentage of the payment, then at least there’s some financial incentive to not negotiate it down as far as you might otherwise,” he added. 

DiMaggio would like to see more clarity around how service providers set prices for ransomware negotiation. Absent that, he said, “the industry will keep living in a moral gray zone, one where good intentions can unintentionally sustain the very ecosystem we’re trying to dismantle.”

Rules of engagement don’t apply

Ransomware negotiation remains an ill-defined, largely unrestricted practice, absent any collective industrywide agreement on rules of engagement.

Any effort to define rules upon which the industry can coalesce could potentially pit competitors against one another, leaving room for those more willing to bend the norms an opportunity to win business by providing less scrupulous services.

Negotiators are effectively unfettered once they ensure they’re not breaking any laws by engaging with or sending money to sanctioned criminals.

Still, there’s an unmet need for checks and balances, oversight, transparency and a standardized set of rules for negotiators to follow without crossing any professional or personal lines. 

Part of the challenge with external oversight lies in the act of negotiation, an art that requires intermediaries to build limited trust with attackers spanning conversations that may not play well in the public sphere, Elovitz said. 

“Putting that under a microscope could inhibit the good guys more than the bad,” he said. Payments themselves, however, could benefit from more scrutiny, Elovitz added. 

Clarity in purpose should prevail above all of these factors. 

Protecting victims without empowering criminals is the first principle of ransomware negotiation, but that balance can’t be managed in the dark, DiMaggio said. 

“I’ve seen firsthand how the lack of oversight allows abuse from both sides of the table,” he said.

To prevent manipulation, DiMaggio called for a standardized framework, vetted negotiators, recorded and auditable communications and anonymized after-action reviews.

“Without accountability, the victims end up paying twice,” he said. “Once to the criminals, and again to the people who claim to save them.”

The scars from years spent as a ransomware negotiator brought Minder back to where his intuition was before he ever got involved. “I don’t believe this should be a business. I say that having been paid to do this,” he said. 

“It’s almost like a parasitic industry,” Minder said. “You’re profiting from victims.”

The post The thin line between saving a company and funding a crime appeared first on CyberScoop.

The Trump administration this week removed three Iranians from its sanctions list who were previously accused of working for Intellexa, the consortium behind the Predator spyware that recent investigations say has circumvented human rights safeguards.

The Biden administration imposed sanctions against the trio in 2024 as part of a broader move to sanction spyware operators. The Treasury Department noted the deletions this week as part of other sanctions moves.

Under the prior sanctions designations, the Biden administration said that Merom Harpaz was manager of Intellexa S.A., a member of the consortium; that Andrea Nicola Constantino Hermes Gambazzi was functionally the owner of Thalestris Limited and Intellexa Limited, two other consortium members; and that Sara Aleksandra Fayssal Hamou was a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium.

While the Tuesday notice about the sanctions removal provided no explanation, “this removal was done as part of the normal administrative process in response to a petition request for reconsideration,” a U.S. official told CyberScoop.

“Each individual has demonstrated measures to separate themselves from the Intellexa Consortium and it has been determined that the circumstances resulting in the sanction no longer apply,” the official said. “The power of sanctions derive not only from the ability to designate individuals, but also from our willingness to remove sanctions consistent with the law.”

Only last month, an investigation concluded that despite sanctions against those three individuals and others, Intellexa had retained the capacity to remotely access the systems of Predator customers, raising human rights questions. Other reports from last month found evidence of expanded Predator targeting and exploitation of malicious mobile advertisements to infect targets.

Researchers and advocates who work on spyware issues found the sanctions removals concerning.

“The public deserves to know what evidence exists to prove that these individuals have ceased their involvement with Intellexa,” Natalia Krapiva, senior tech-legal counsel at Access Now, wrote on Bluesky.

John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said on X that he found the removals “puzzling,” adding that “Some in the mercenary spyware ecosystem are probably reading today’s Intellexa exec [delisting] as: ‘scoff at US, help hack Americans & you can still skirt consequences with the right lobbying.’”

The post Treasury removes Intellexa spyware-linked trio from sanctions list appeared first on CyberScoop.

Ransomware is on the decline, according to a study the Treasury Department released Thursday, pointing to fewer attacks and payments following an all-time spike in activity in 2023.

The Financial Crimes Enforcement Network (FinCEN) report on ransomware trends concluded more positive development in payments — the critical and most visible layer of attacks that have fueled the rise of these financially-motivated crimes for years. Total payments slid 33% from about $1.1 billion in 2023 to $734 million last year, federal researchers found.

Cybercrime experts and authorities have consistently pointed to payments as the most important measure of ransomware activity, asserting that cutting off the main driver of these crimes provides the best chance for creating a lasting deterrence of future attacks.

Dwindling ransomware payments from 2023 to 2024 is a positive sign, but it’s too early to celebrate the shift as an enduring decline. Payments previously jumped 77% year-over-year in 2023 and total ransomware payments during the three-year period ending in December 2024 topped $2.1 billion.

The three-year payments total is just slightly below the $2.4 billion in ransomware payments FinCEN attributed to the previous nine-year period ending in 2021.

The number of victims confronting ransomware still remains a largely unchanged epidemic, according to the study based on Bank Secrecy Act data from organizations that reported attacks to FinCEN. Officials received reports of 1,476 ransomware attacks last year, a mere 2% decrease from 1,512 incidents in 2023.

The report concluded manufacturing, financial services and healthcare organizations were the most heavily impacted by ransomware attacks last year. The manufacturing industry reported 456 incidents associated with almost $285 million in payments.

Organizations in the financial services sector reported 432 incidents last year linked to nearly $366 million in payments, and the healthcare industry reported 389 attacks totaling about $305 million in payments, the report found.

Officials said they identified 267 unique ransomware variants between 2022 and 2024. ALPHV/BlackCat was the most heavily reported ransomware variant, followed by Akira, LockBit, Phobos and Black Basta. 

FinCEN said 10 ransomware variants were responsible for a cumulative $1.5 billion in payments from 2022 to 2024.

The post Is ransomware finally on the decline? Treasury data offers cautious hope appeared first on CyberScoop.

The Treasury Department, along with officials from the United Kingdom and Australia, imposed sanctions Wednesday against two bulletproof hosting providers and key people involved in their operations, in a globally coordinated effort aimed at thwarting the role these services have in enabling ransomware, phishing operations, and data extortion campaigns around the world. 

Authorities sanctioned Media Land, three of its leaders and three affiliated companies for allegedly supporting ransomware operations and other cybercrime. The Russia-based bulletproof hosting provider has provided services to ransomware groups, including LockBit, BlackSuit and Play, officials said.

Authorities imposed sanctions on Media Land’s general director Alexsandr Volosovik, Kirill Zatolokin, Yulia Pankova and subsidiaries ML Cloud, Media Land Technology and Data Center Kirishi. 

“Media Land has been impactful largely because of its longevity. Recorded Future can trace attackers using their infrastructure back to at least 2015 — 10 years of activity,” Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.

“Targeting this kind of infrastructure can have a disruptive effect on the ransomware ecosystem,” he said. “It’s not the same as a takedown, but it makes it much more difficult for these threat actors to operate and continue to provide services.”

Cyber authorities with the Five Eyes intelligence alliance and the Netherlands also released a mitigation guide Wednesday, which offers tips to help defenders thwart cybercrime made possible by this infrastructure. Efforts to impair these services “requires a nuanced approach because bulletproof hosting infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders may impact legitimate activity,” officials said in a mitigation guide released Wednesday.

Despite the sanctions, Media Land’s infrastructure will remain online until the organization’s peering partners cut off key services, said Zach Edwards, senior threat analyst at Silent Push. One of those partners, JSC RetnNet is also based in Russia, but its other peering partner, RETN Limited, is a U.K.-based ISP, he said.

“The bulletproof hosting ecosystem is thriving and growing,” Edwards said, adding “we still need law enforcement to put more pressure on the peering partners who help to get bulletproof hosting infrastructure online and accessible to the rest of the internet.”

Cybercriminals use bulletproof hosting infrastructure to obfuscate their activities, including malware delivery, phishing, and host content and services that support ransomware, data extortion and denial of service attacks, officials said. 

“Bulletproof hosting is one of the core enablers of modern cybercrime,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a statement.

Officials also took action against companies and individuals who helped the previously sanctioned Aeza Group evade sanctions and reconstitute operations under new infrastructure and leadership.

U.K.-based Hypercore, Maksim Vladimirovich Makarov, the new alleged director of Azea, and Ilya Vladislavovich Zakirov were targeted with sanctions for supporting Aeza Group’s ongoing activity. Officials also sanctioned Smart Digital Ideas DOO and Datavice MCHJ for providing technical infrastructure to Azea.

“Bulletproof hosting providers are hosting the majority of cybercrime infrastructure used by a wide range of global threat actors for ransomware attacks, phishing campaigns, malware delivery and everything in between,” Edwards said. 

“Focusing on these malicious hosts should be a top law-enforcement priority to ensure we’re not just playing Whac-A-Mole with individual threat actors for years to come.”

The post Five Eyes just made life harder for bulletproof hosting providers appeared first on CyberScoop.

The Treasury Department on Tuesday sanctioned eight people and two companies it accused of laundering money obtained from cybercrime and IT worker schemes to fund North Korean government objectives.

According to the department, over the last three years North Korea-linked cybercriminals have stolen over $3 billion, mostly in cryptocurrency. In addition, it said, North Korean IT workers are netting hundreds of millions from schemes by faking their identities. It’s all in service of goals that endanger the security of the world, Treasury said.

The bank, IT company and financial institution personnel that the Office of Foreign Assets Control placed on the sanctions list Tuesday add to an ever-growing list this calendar year of parties the United States associates with North Korean cyber activity.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said John Hurley, Treasury undersecretary for terrorism and financial intelligence. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

The department designated Jang Kuk Chol and Ho Jong Son, two North Korean bankers; Korea Mangyongdae Computer Technology Company, an IT company; U Yong Su, president of that firm; and Ryujong Credit Bank, a North Korea-based financial institution. It also designated five people who work for North Korean financial institutions: Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom and Ri Jin Hyok.

The two bankers stand accused of managing cryptocurrency funds on behalf of a previously designated entity, First Credit Bank. The IT firm allegedly operates IT worker delegations from at least two cities in China. Treasury said Ryujong Credit Bank aids in avoiding sanctions between China and North Korea. The five employees are China or Russia-based North Korean representatives of the financial institutions who have allegedly facilitated illicit transactions.

Last month, a group of countries including the United States and allies in Europe and Asia published its latest report on North Korea’s evasions and violations of United Nations Security Council resolutions, this time focused on Pyongyang’s cyber and IT operations.

“The Democratic People’s Republic of Korea (DPRK or North Korea) is systematically engaged in violations of United Nations Security Council resolutions (UNSCRs) and related evasion activities through its Information Technology (IT) worker deployments and cyber operations, particularly as related to cryptocurrency theft and cryptocurrency laundering activities,” the report states. ”The DPRK’s cyber force is a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The post North Korean companies, people sanctioned for money laundering from cybercrime, IT worker schemes appeared first on CyberScoop.