Ransomware payments fell 35% last year, Chainalysis

Please consider supporting Metacurity with an upgraded subscription so that you can continue receiving our daily missives, packed with the top infosec developments you should know.

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

According to a new report from Chainalysis, the ransomware business suffered in 2024, with payments falling 35% year over year.

Though the number of ransomware attacks increased in 2024, ransomware gangs made less money, pulling in $814 million compared to 2023’s record-high sum of $1.25 billion. The blockchain analytics firm attributes the decline to various factors, including an uptick in law enforcement actions and sanctions and a growing refusal by victims to pay their attackers.

Jacqueline Burns Koven, Chainalysis' head of cyber threat intelligence, said that last year, less than half of all recorded ransomware attacks resulted in victim payments.

Chainalysis’ report also suggests that ransomware attackers are struggling to cash out their ill-gotten gains. The firm found a “substantial decline” in the use of crypto mixers in 2024, which the report attributed to the “disruptive impact of sanctions and law enforcement actions, such as those against Chipmixer, Tornado Cash, and Sinbad.”

Last year, more ransomware actors held their funds in personal wallets, according to the report. (Cheyenne Ligon / Cointelegraph)

Related: Chainalysis, TechTarget, CoinDesk, The Block, The Record

The US Office of Personnel Management (OMB) will make each government agency’s chief information officer a political appointee job instead of its long-standing "career reserved" non-partisan status.

The change will make the roles “general,” opening them to a wide variety of appointees. It is set to take effect by Feb. 14.

Acting OPM Director Charles Ezell said the move will better align those employees with the Trump administration’s agenda. 

“No longer the station of impartial and apolitical technocrats, the modern agency CIO role demands policy-making and policy-determining capabilities across a range of controversial political topics,” Ezell wrote.

The White House “rightly expects that agency CIOs will be on the front lines of articulating and implementing such policies, both within government and before the general public,” he added. (Kevin Collier / NBC News)

Related: CHCOC.gov, NextGov/FCW

The CIA became the first intelligence agency to tell its employees that they could quit their jobs and receive about eight months of pay and benefits as part of Trump’s push to downsize the federal government.

Last month's offer to most civilian federal agencies exempted some categories of federal workers, including those with national security roles.

The agency is also freezing the hiring of job seekers already given a conditional offer, an aide to CIA Director John Ratcliffe said. Some are likely to be rescinded if the applicants don’t have the right background for the agency’s new goals, which also include Trump’s trade war and undermining China, the aide said. 

“There’s no statutory authority that I can see for the president making this offer,” said Sen. Tim Kaine (D., Va.), who represents tens of thousands of federal workers and said no constituents have told him they are taking the deal. Doing so presents risk, he said: “The administration immediately knows, you don’t want to work for me. They’ll find some other way to get rid of you. You should not raise your hand.” (Joel Schectman and Dustin Volz / Wall Street Journal)

Related: CNN, The Guardian, Reuters, USA Today, ABC News

LatticeFlow AI, a Swiss software firm that measures how compliant AI models are with regulations, says that two versions of DeepSeek’s R1 model rank lowest among other leading systems regarding cybersecurity.

When the Chinese company modified existing open-source models from Meta Platforms Inc. and Alibaba, known as Llama and Qwen, to make them more efficient, it may have broken some of those models’ key safety features.

DeepSeek’s models were especially vulnerable to “goal hijacking” and prompt leakage, LatticeFlow said. That refers to when an AI can be tricked into ignoring its safety guardrails, revealing sensitive information, or performing harmful actions it’s supposed to prevent. DeepSeek could not be reached for comment.

Other security researchers have been probing DeepSeek’s models and finding vulnerabilities, particularly in getting the models to do things it’s not supposed to, like giving step-by-step instructions on how to build a bomb or hotwire a car, a process known as jailbreaking. “[DeepSeek is] completely insecure against all jailbreak approaches, while the OpenAI and Anthropic reasoning models became much safer compared to their older, non-reasoning versions that we tested last year,” says Alex Polakov, CEO of Adversa AI, an Israeli AI security firm that tested DeepSeek models. (Parmy Olson / Bloomberg)

Related: LatticeFlow AI, Compli-AI, Adversa, R Street Institute, eeNews

Australia has banned the AI platform DeepSeek from all government devices and systems because of the security risk the Chinese artificial intelligence (AI) startup poses.

The Australian government has insisted the ban is not due to the app's Chinese origins but because of the "unacceptable risk" it poses to national security.

Australia's move specifically requires any government entities to "prevent the use or installation of DeepSeek products, applications and web services" and remove any previously installed, on any government system or device.

That means a wide range of workers, including those working in varied areas such as the Australia Electoral Commission and Bureau of Meteorology, will not be able to use the tools in the country.

It is less clear whether it means DeepSeek would be banned from public sector computers in different areas of the economy, such as schools.

The ban does not extend to private citizens' devices. (Tom Gerken / BBC News)

Related: CNN, The Independent, Reuters, Euronews, Times of India, iTnews - Security, Reddit cybersecurity, Computerworld Security, AndroidHeadlines.com, Business Insider, Digital Journal

Thailand will suspend electricity supply to some border areas with Myanmar to curb scam centers amid growing pressure on the illegal compounds that have ensnared vast numbers of people of multiple nationalities.

"We must take action to cut off the electricity immediately," Thai Deputy Prime Minister Phumtham Wechayachai told reporters, adding authorities would instruct the Provincial Electricity Authority that supplies power to these areas to cut it off.

The scam compounds have come into renewed focus after Chinese actor Wang Xing was abducted after arriving in Thailand last month. He was later freed by Thai police, who found him in Myanmar.

The security council's chief said evidence showed transnational crime syndicates operating in Myanmar's Tachileik, Myawaddy, and Payathonzu, outlining areas the power supply cuts may target. (Panarat Thepgumpanat / Reuters)

Related: CNN, Fortune, Associated Press, Bloomberg, Firstpost, China Daily, Nation Thailand, Inside Asian Gaming, Bangkok Post

A joint investigation by researchers from Intezer and Solis Security is warning that Vietnamese cybercrime group XE Group targeted VeraCore, a platform used by fulfillment companies, commercial printers, and e-retailers to manage orders and operations.

The investigators found evidence the group exploited two previously unknown vulnerabilities, one in upload validation and another in SQL processing, to gain and maintain unauthorized access.

XE Group exploited two zero-day vulnerabilities in the VeraCore application to bypass security controls and deploy webshells to exfiltrate configuration files and move laterally within infected networks.

Interestingly, the researchers found that the same system had been compromised before. In January 2020, attackers exploited a similar vulnerability, gaining valid credentials that later facilitated the reactivation of webshells in 2024. (Ryan Naraine / Security Week)

Related: Intezer, ASIS, MSSP Alert, Cyberscoop

Thomas Shedd, an associate of Elon Musk and now head of the General Services Administration’s Technology Transformation Services (TTS), told government tech workers in a meeting this week that the administration plans to deploy AI widely throughout the government.

Shedd also said the administration would need help altering login.gov, a government login system, to further integrate with sensitive systems like social security “to further identify individuals and detect and prevent fraud,” which employees identified at the meeting as “an illegal task.”

Shedd, who is a former Tesla engineer, said the government should “try to get consent” regarding login.gov changes but that “we should still push forward and see what we can do.” (Jason Koebler, Joseph Cox, Emanuel Maiberg / 404 Media)

Related: Wired, New York Times

Union groups representing 7.2 million people filed a lawsuit against the Treasury Department for transferring information, including Social Security numbers, tax return data, and bank account details, to Elon Musk’s Department of Government Efficiency (DOGE).

The plaintiffs in the lawsuit, which include the Alliance for Retired Americans, the American Federation of Government Employees, and the Service Employees International Union, allege that Musk and his surrogates are violating the Privacy Act. This federal law prohibits the government from sharing individuals’ records without consent or unless a statutory exception applies.

Exceptions include allowing disclosure to “those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties” or for “routine use” only when an agency formally describes that intended use in the federal register at least 30 days before acting.

DOGE workers are also violating a law that says tax returns and return information should be kept confidential. That law, known as the Internal Revenue Code, says that officers and employees of the Treasury Department may access return information only if their official duties require them to obtain it for tax administration purposes.

“The scale of the intrusion into individuals’ privacy is massive and unprecedented,” says the lawsuit, which was brought by the Public Citizen Litigation Group and State Democracy Defenders Fund. (Suzanne Smalley / The Record)

Related: NextGov/FCW, Politico, Business Insider, Forbes, The Guardian, FedScoop, Courthouse News, Spectrum News, UPI, The Guardian, Axios, Business Insider, The New York Times

Researchers at Trend Micro say Russian hackers have exploited a 7-Zip vulnerability, allowing attackers to bypass the Mark of the Web (MotW) Windows security feature, as a zero-day vulnerability since September 2024.

The flaw was used in SmokeLoader malware campaigns targeting the Ukrainian government and private organizations in the country.

The Mark of the Web is a Windows security feature designed to warn users that the file they're about to execute comes from untrusted sources, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim's machine without a warning.

Trend Micro's Zero Day Initiative (ZDI) team first discovered the flaw, now tracked as CVE-2025-0411, on September 25, 2024, observing it in attacks carried out by Russian threat actors.

Hackers leveraged CVE-2025-0411 using double archived files (an archive within an archive) to exploit a lack of inheritance of the MoTW flag, resulting in malicious file execution without triggering warnings.

The specially crafted archive files were sent to targets via phishing emails from compromised Ukrainian government accounts to bypass security filters and appear legitimate. Using homoglyph techniques, the attackers hid their payloads within the 7-Zip files, making them appear harmless Word or PDF documents.

Users are strongly recommended to download the latest version of 7-Zip to ensure they are protected from this vulnerability. (Bill Toulas / Bleeping Computer)

Related: Trend Micro, Security Week, Help Net Security, BankInfoSecurity

SentinelOne researchers have discovered a new malware strain called FlexibleFerret, which was used as part of the ongoing North Korean Contagious Interview campaign with threat actors luring victims to install malware through the job interview process.

Last week, Apple pushed a signature update to its on-device malware tool XProtect to block several variants of the macOS Ferret family.

“Some components of the FERRET family including FlexibleFerret are not blocked by XProtect,” said SentinelLabs researcher Phil Stokes. “However, other mechanisms such as revoked developer cert may help for specific samples. In general, security teams should ensure they have a solution that blocks the list of IoCs in our post independently of Apple’s mechanisms to ensure adequate protection.” (Steve Zurier / SC Media)

Related: SentinelOne, CSO Online

Brian Krebs has traced internet breadcrumbs to try to identify who is behind Cracked and Nulled, the English-language cybercrime forums seized last week by the FBI.

Archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. According to corporate records compiled by Northdata.com, 1337 Services GmbH is also known as AS210558 and is incorporated in Hamburg, Germany.

The Cracked forum administrator went by the nicknames “FlorainN” and “StarkRDP” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.

Northdata’s business profile for 1337 Services GmbH shows the company is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28. (Brian Krebs / Krebs on Security)

Elizabeth Kelly, the top official at the US AI Safety Institute, is stepping down, raising new uncertainty about the future of a key government group focused on artificial intelligence under the Trump administration.

Housed under the Commerce Department, the US AI Safety Institute works with academics and developers to identify and mitigate risks from cutting-edge AI systems. It was created after former President Joe Biden signed an executive order in 2023 calling for leading AI companies to share safety test results and critical information with the federal government.

Since taking office, Trump has moved swiftly to put his own stamp on AI policy, rescinding Biden’s order and calling for a new approach to boost US dominance in artificial intelligence. Trump also touted a massive new venture from OpenAI, SoftBank Group, and Oracle. that promises to invest $100 billion in infrastructure to support AI development. (Shirin Ghaffary and Oma Seddiq / Bloomberg)

Karen Evans, a former cyber executive at the Department of Homeland Security and the Energy Department, has joined the Cybersecurity and Infrastructure Security Agency as senior adviser for cybersecurity.

A CISA spokesman did not confirm whether Evans would be elevated to a permanent role at the agency. However, multiple sources have said Evans is likely to either be named executive assistant director for cybersecurity at CISA or move on to a top position at DHS headquarters. (Justin Doubleday / Federal News Network)

Related: ExecutiveGov, Meritalk, NextGov/FCW, Homeland Security Today

Best Thing of the Day: Now Do Elon

A 2011 post from Donald Trump on X now includes a fake nude photo of him entitled Trump's Meat thanks to a bug discovered by scammers.

Worst Thing of the Day: Long Gone Are the Days of Don't Be Evil

Google removed language from its AI principles promising not to pursue “technologies that cause or are likely to cause overall harm,” “weapons or other technologies whose principal purpose or implementation is to cause or directly facilitate injury to people,” “technologies that gather or use information for surveillance violating internationally accepted norms,” and “technologies whose purpose contravenes widely accepted principles of international law and human rights.”

Closing Thought