View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 6.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Western Telematic Inc
Equipment: NPS Series, DSM Series, CPM Series
Vulnerability: External Control of File Name or Path
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated attacker to gain privileged access to files on the device's filesystem.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Western Telematic Inc products are affected:
Network Power Switch (NPS Series): Firmware Version 6.62 and prior
Console Server (DSM Series): Firmware Version 6.62 and prior
Console Server + PDU Combo Unit (CPM Series): Firmware Version 6.62 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 External Control of File Name or Path CWE-73
Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a Local File Inclusion Attack (LFI), where any authenticated user has privileged access to files on the device's filesystem.
CVE-2025-0630 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-0630. A base score of 6.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
notnotnotveg (notnotnotveg@gmail.com) reported this vulnerability to CISA.
4. MITIGATIONS
Western Telematic Inc reports this issue was discovered and patched in 2020. Western Telematic Inc recommends users follow best practices and update to the latest version.
For DSM/CPM units: Update to 8.06
For NPS units: Update 4.02
Ensure the default passwords are changed prior to deployment
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
February 4, 2025: Initial Publication

Western Telematic Inc NPS Series, DSM Series, CPM Series

An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.

Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden

Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself.

Cybersecurity researchers at the Positive Technologies Expert Security Center (PT ESC) have found a sneaky malware campaign targeting the Python Package Index (PyPI), a popular online repository for **Python software**. The attack focused on developers, machine learning engineers, and AI enthusiasts who might integrate DeepSeek AI into their projects.

It all began on January 29, 2025, when a suspicious user named “bvk,” whose account had been inactive since its creation in June 2023, uploaded two malicious packages: deepseeek or deepseekai. These packages were designed to mimic legitimate integrations with DeepSeek but contained malicious code aimed at stealing sensitive information from users’ systems.

Malicious DeepSeek packages (Via PT ESC)

Once installed, the harmful packages executed commands that collected system information and stole environment variables. These variables often contain critical data, such as credentials for cloud storage, database access, or other infrastructure resources. The stolen information was then sent to a command-and-control (C2) server hosted on Pipedream, a developer integration platform.

Interestingly, according to PT ESC’s **blog post** shared with Hackread.com, the attackers appeared to use an AI-powered assistant to write their malicious script, as evidenced by the code’s comments explaining its functionality. **AI-generated content** and codes have become a significant cybersecurity threat, with experts warning that the risk is only growing.

****Quick Action****

After discovering the malicious packages, Positive Technologies immediately alerted PyPI administrators, who quarantined and deleted the packages within an hour. However, during that short window, the packages had already been downloaded 222 times across various tools and methods in the following countries:

*   **US**: 117 downloads

*   **China**: 36 downloads

*   **Russia**: 12 downloads

*   Other countries, including Germany, Canada, and Hong Kong, also reported downloads.

****Exploiting DeepSeek’s Popularity****

Although the attack was contained before causing large-scale harm, it presents important questions about the security of open-source repositories. Cybercriminals frequently monitor emerging trends and exploit them to trick unsuspecting users. In this example, the **popularity of DeepSeek** likely attracted malicious actors seeking to exploit its growing user base.

In a comment to Hackread.com, **Jason Soroko**, Senior Fellow at Sectigo, emphasized the impact of this incident stating, “This report underscores how attackers exploit trusted naming conventions and the reliance on authentic package sources within the open-source ecosystem. While the threat was neutralized quickly, it serves as a reminder of the growing risks associated with software supply chains.”

****Protecting Yourself from Similar Threats****

This incident is a good sign to be careful when downloading and installing software, especially from public repositories like PyPI. Here are a few quick tips to help you stay safe:

*   **Security Tools**: Use services like Positive Technologies’ PyAnalysis, which monitors PyPI for malicious activity in real-time.

*   **Verify Package Sources**: Only download well-established packages with a strong reputation. Be cautious of newly uploaded tools, especially those with names similar to popular projects.

*   **Scan Dependencies**: Use tools to analyze the code of packages before installing them.

*   **Monitor Environment Variables**: Keep an eye on sensitive data stored in your system and limit its exposure where possible.

Hackers Hide Malware in Fake DeepSeek PyPI Packages

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Title: ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5911  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 03.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[03.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_rce5.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[03.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution

Anthropic says its Constitutional Classifiers approach offers a practical way to make it harder for bad actors to try and coerce an AI model off its guardrails.

Source: Tada Images via Shutterstock

Researchers at Anthropic, the company behind the Claude AI assistant, have developed an approach they believe provides a practical, scalable method to make it harder for malicious actors to jailbreak or bypass the built-in safety mechanisms of a range of large language models (LLMs).

The approach employs a set of natural language rules — or a "constitution" — to create categories of permitted and disallowed content in an AI model's input and output, and then uses synthetic data to train the model to recognize and apply those content classifiers.

**"Constitutional Classifiers" Anti-Jailbreak Technique**

In a technical paper released this week, the Anthropic researchers said their so-called Constitutional Classifiers approach was as effective against universal jailbreaks, withstanding more than 3,000 hours of human red-teaming by some 183 white-hat hackers through the HackerOne bug bounty program.

"These Constitutional Classifiers are input and output classifiers trained on synthetically generated data that filter the overwhelming majority of jailbreaks with minimal over-refusals and without incurring a large compute overhead," the researchers said in an related blog post. They have established a demo website where anyone with experience jailbreaking an LLM can try out their system for the next week (Feb. 3 to Feb. 10).

Related:AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

In the context of generative AI (GenAI) models, a jailbreak is any prompt or set of prompts that causes the model to bypass its built-in content filters, safety mechanisms, and ethical constraints. They typically involve a researcher — or a bad actor — crafting specific input sequences, using linguistic tricks and even role-playing scenarios to trick an AI model into escaping its protective guardrails and spewing out potentially dangerous, malicious, and incorrect content.

The most recent example involves researchers at Wallarm extracting secrets from DeepSeek, the Chinese generative AI tool that recently upended long held notions of just how much compute power is required to power an LLM. Since ChatGPT exploded on the scene in November 2022, there have been multiple other examples including one where researchers used one LLM to jailbreak a second, another involving the repetitive use of certain words to get an LLM to spill its training data and another through doctored images and audio.

**Balancing Effectiveness With Efficiency**

In developing the Constitutional Classifiers system, the researchers wanted to ensure a high rate of effectiveness against jailbreaking attempts without drastically impacting the ability for people to extract legitimate information from an AI model. One simplistic example was ensuring the model could distinguish between a prompt asking for a list of common medications or for explaining the properties of household chemicals versus a request on where to acquire a restricted chemical or purifying it. The researchers also wanted to ensure minimal additional computing overhead when using the classifiers.

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

In tests, researchers had a jailbreak success rate of 86% on a version of Claude with no defensive classifiers, compared to 4.4% on one using a Constitutional Classifier. According to the researchers, using the classifier increased refusal rates by less than 1% and compute costs by nearly 24% compared to the unguarded model.

**LLM Jailbreaks: A Major Threat**

Jailbreaks have emerged as a major consideration when it comes to making GenAI models with sophisticated scientific capabilities widely available. The concern is that it gives even an unskilled actor the opportunity to "uplift" their skills to expert-level capabilities. This can become an especially big problem when it comes to trying to jailbreak LLMs into divulging dangerous chemical, biological, radiological, or nuclear (CBRN) information, the Anthropic researchers noted.

Related:Code-Scanning Tool's License at Heart of Security Breakup

Their work focused on how to augment an LLM with classifiers that monitor an AI model's inputs and outputs and blocks potentially harmful content. Instead of using hard-coded static filtering, they wanted something that would have a more sophisticated understanding of a model's guardrails and act as a real-time filter when generating responses or receiving inputs. "This simple approach is highly effective: in over 3,000 hours of human red teaming on a classifier-guarded system, we observed no successful universal jailbreaks in our target...domain," the researchers wrote. The red-team tests involved the bug bounty hunters trying to obtain answers from Claude AI to a set of harmful questions involving CBRN risks, using thousands of known jailbreaking hacks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

Everyone's all about working in the cloud, but what's happening with these folks? What are they doing, and what do they want? Send us a cybersecurity-related caption to describe the above scene. Our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Feb. 25, 2025, deadline:

*   Via social media: BlueSky (new!), Facebook, LinkedIn, and X.
    

If you win, we'll respond to you on the same platform, requesting your email address to send you the gift card.

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Trey Rose for sending us the winning caption for January's "Greetings and Salutations" Edge cartoon. Some noteworthy contenders included "I guess that’s one way to prove you’re not a robot," "I always thought man-in-the-middle was something else," and "This has got to be your worst attempt at a Trojan Horse yet." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: In the Cloud

The healthcare industry has become increasingly reliant on technology to enhance patient care, from advanced image-guided surgery to…

The healthcare industry has become increasingly reliant on technology to enhance patient care, from advanced image-guided surgery to computerized provider order entry (CPOE). However, this dependence has also made it a prime target for cybercriminals.

Hospitals, clinics, and medical practitioners handle vast amounts of sensitive data, including medical records, financial information, and administrative details. This data holds substantial value on the black market, where it is often exploited for identity theft or financial fraud.

****Ransomware Attacks on Healthcare Organizations****

In 2024, a ransomware attack on Synnovis, a pathology testing organization serving two NHS trusts in London, resulted in the theft of patient data. Hackers infiltrated the laboratory’s computer systems, making crucial medical information inaccessible. The group behind the attack later published portions of the stolen data online, including personal identifiers such as names, NHS numbers, and test codes.

This incident highlights the complexity of ransomware attacks and the ongoing risks they pose. To reduce the likelihood of similar breaches, healthcare organizations must conduct regular cybersecurity risk assessments, strengthen data protection protocols, and provide staff training to minimize human error.

****The Need for Stronger Data Protection Measures****

Many countries in Europe have strengthened data protection and cybersecurity laws in recent years, with significant implications for healthcare systems. Medical institutions regularly process highly sensitive personal data, and a lack of funding for security measures does not justify neglecting data protection responsibilities.

Personally identifiable information must be safeguarded against unauthorized access, loss, or damage. Failing to do so can have severe consequences, including a loss of trust in healthcare institutions and regulatory penalties.

****Consequences of Data Breaches in Healthcare****

Health data is classified as a special category of information under the UK GDPR, requiring stricter security measures. Organizations handling such data must conduct risk assessments before processing any information that could pose a threat to individual privacy.

Unauthorized access to patient records can lead to serious consequences, such as identity theft, financial fraud, and reputational harm for healthcare providers. Additionally, failure to comply with data protection laws can result in legal and regulatory penalties.

****How to Check If Your Health Data Has Been Leaked****

A data breach is a serious violation of privacy, often exposing individuals to fraud and scams. Cybercriminals may use stolen medical data to craft convincing phishing emails or impersonate healthcare providers in an attempt to extract further personal information.

To minimize the risk, only authorized healthcare professionals should handle sensitive medical records, and administrative staff must be reminded of their confidentiality obligations. If you suspect your information has been compromised, find out exactly what was exposed.

Since tracking all online activity is nearly impossible, your personal data may already be circulating on the dark web. To check what information about you is publicly accessible, search your full name on major search engines. A larger digital footprint increases the risk of exposure. Healthcare organizations must notify patients if their data has been compromised and provide guidance on protective measures.

****Legal Rights and Compensation for Data Breaches – You Can Sue A Healthcare Organization For Breaching Your GDPR Rights****

Under the General Data Protection Regulation (GDPR), organizations are required to implement security measures that protect against data corruption, compromise, or loss. Healthcare institutions use various cybersecurity tools, including firewalls, identity and access management systems, and encryption, to safeguard patient data.

If you have suffered from damaging consequences of a data breach, such as financial loss or privacy violations, you may be entitled to compensation. It is advisable to consult legal experts to assess the strength of your case rather than relying on online legal advice.

The GDPR allows individuals to take legal action when their data protection rights have been violated. Compensation claims are particularly relevant in cases of significant breaches, with litigation processes in the UK following a model similar to those in the United States. Victims can pursue claims individually or as part of group litigation.

****Steps to Take Immediately After a Data Breach****

The loss of personal data can be distressing, but there are steps you can take to mitigate potential harm:

*   **Check for free credit monitoring services** – Some organizations offer free credit monitoring to affected individuals. These services alert you to suspicious activity, such as new credit applications in your name.
*   **Update your passwords immediately** – If your credentials have been compromised, change your login information as soon as possible to prevent unauthorized access.
*   **Stay alert for scams** – Cybercriminals may exploit your leaked data to trick you into revealing more information or making fraudulent payments. Be wary of unexpected emails or phone calls requesting sensitive details.

Be mindful of the information you share with healthcare providers, as excessive data disclosure could increase your risk of exposure. Only provide the details necessary for your care, and stay alert about cybersecurity threats.

Image credits: Pixabay

Your Health Information Was Compromised. Now What? 

Though Windows, iOS, and macOS users won't need to make any changes, Android users are advised to remove their Defender VPN profiles.

Source: CryptoFX via Alamy Stock Photo

NEWS BRIEF

Microsoft is notifying users that it will no longer support the Privacy Protection VPN feature within the Microsoft Defender app. The feature will be removed on Feb. 28.

Microsoft Defender checks files or apps downloaded and installed on a device for any malicious software, as well as runs scans of files already on a system. It works alongside third-party anti-malware solutions and is included as part of a Microsoft 365 Personal or Family subscription.

Microsoft plans to eliminate only the VPN feature and will still provide device protection, identity theft monitoring, and credit monitoring in the US.

The support update document announcing the change did not have a lot of detail but stated that removing the privacy protection benefit will allow the company to "invest in new areas that will better align to customer needs." The document also notes the company routinely evaluates the effectiveness of its features.

Though Windows, iOS, and macOS users won't have to take any action, Microsoft provided instructions for Android users to follow because the VPN profile must be removed from devices manually.

"Not removing the Defender VPN profile on your Android device will not cause any impact to your device but it's recommended to remove it as it won't be used by Defender to provide protection," Microsoft stated.

Android users can follow the steps below to remove their Defender VPN profiles:

3.  Users should see a "Microsoft Defender" VPN profile in the list of VPN profiles if they've onboarded to privacy protection.
    
4.  Click on the "Info" icon and remove the profile.
    

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Sets End Date for Defender VPN

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

Source: ifeelstock via Alamy Stock Photo

Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that's probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with care.

Researchers with Positive Technologies discovered the malicious packages, labeled "deepseekai" and "deepseeek," trying to trick developers into thinking they were legit.

"The attack targeted developers, machine learning \[ML\] engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems," the Positive Technologies researchers wrote in an analysis.

The account behind the attack, "bvk," was created in June 2023 and sat dormant until the campaign sprang to life on Jan. 29, according to the report. When executed, the researchers noted both "deepseeek" and "deepseekai" drop infostealers to steal sensitive data, including API keys, database credentials, and permissions.

The malicious PyPi packages have been deleted, but there's evidence they were downloaded 36 times using the pip package manager and the bandersnatch mirroring tool, and 186 times using the browser, the researchers reported.

"Sometimes API keys aren’t leaked, they’re just plain stolen," Tim Erlin, vice president of product at Wallarm says. "This incident is a good example of attackers taking advantage of the prevailing news cycle. Anytime you’re doing something popular, whether clicking on a link or installing a PyPi package, it’s best to approach the task with a healthy dose of skepticism."

Related:'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

That mindset can help developers avoid making similar cybersecurity slip-ups, according to Mike McGuire, senior security solutions manager with Black Duck.

"In their eagerness to leverage DeepSeek in their tasks, many developers missed the 'red flag' that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result," McGuire says.

Ironically given how advanced DeepSeek's capabilities are touted to be, the attack itself was a fairly low-tech affair, Michael Lieberman, CTO at Kusari, notes.

"Typosquatting attacks are popular because they work," Kusari points out. "It's easy for a developer to mistype a word or use something with a similar-sounding name and suddenly their application is pulling in malicious code. Popular or trendy technologies are at particular risk since the pool of potential victims is larger."

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

**Adversaries Using AI to Write Code Faster Too**

In a novel twist, the researchers found evidence the threat actors used AI to write the malicious code.

"There are clear indications that the compromised code was written with AI assistance, providing a real-world example of AI being used for malicious intent," Wallarm's Erlin says.

Erlin adds that developers should expect similar malicious packages to be scattered among various platforms.

"Developers, with malintent or not, are heavily invested in using AI to be more efficient." he adds. "AI lets developers write more code, faster. We should expect to see the volume of malicious code expand at the same rate as code in general."

To protect their environments from these threats, Raj Mallempati, CEO of BlueFlag Security, says developers need to implement strong security practices throughout the software development lifecycle (SDLC). That means using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.

"This recent incident underscores the need for developers to specifically protect against threats like OSS typosquatting," Mallempati explains. "Double checking package names and verifying package sources that come from DeepSeek will be key here. As well, developers should enable dependency scanning tools like Github dependabot to ensure they are not downloading malicious packages."

Related:Code-Scanning Tool's License at Heart of Security Breakup

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

Cybercriminals posted nearly 6,000 breaches to data-leak sites last year — and despite significant takedowns, they continued to thrive in a record-breaking year for ransomware.

Source: VectorFusionArt via Shutterstock

A surge in ransomware groups in 2024 left companies facing increased attacks, even as law enforcement ramped up investigations against well-known groups such as LockBit, and dismantled popular cybercriminal services, such as phishing-as-a-service provider LabHost and the encrypted messaging platform Ghost.

A pair of new studies outlines the state of play. Overall, more than 75 ransomware groups were actively compromising targets in 2024, compared to only 43 the prior year, according to a recent Rapid7 analysis. As a result, more than half of organizations suffered a successful attack, and the majority of those impacted shut down some operations leading to significant revenue loss, according to a large survey of IT and cybersecurity practitioners conducted by the Ponemon Institute.

As long as extortion continues to be profitable, organizations will have to contend with significant threats, says Trevor Dearing, director of critical infrastructure solutions at Illumio, a zero-trust security firm and sponsor of the Ponemon report.

"When some of those gangs were taken down, there was a dip in activity, but they get very quickly replaced, and that's the challenge," he says. "It's a battle that is is worth fighting and it does slow them down, but this is only part of the response we have to have."

Related:1-Click Phishing Campaign Targets High-Profile X Accounts

The pace of compromises appears to be only accelerating, with about 15% more ransomware attacks in 2024, compared to the previous year, according to data collected by both NCC Group and Rapid7. Their tallies differed slightly, but trended in the same direction. And last month, the number of successful attacks claimed by ransomware groups averaged 18 per day, up from less than 15 in December, according to Rapid7's data.

RansomHub, LockBit, and Play were the most prolific ransomware groups in 2024, as measured by the number of breach posts. Source: Author based on Rapid7 data

Overall, cybercriminals compromised nearly 6,000 victims, posting their information to public data-leak sites, with well-known ransomware groups — such as RansomHub, LockBit, and Play — making tens of millions of dollars each in ransom payments from victims, even as fewer victims paid lower average ransoms, the company found.

**Laying Down the Law on Cybercrime**

The ransomware gains came despite increased law enforcement activity. In September, European law enforcement disrupted the Ghost encrypted communications platform used by organized crime groups. In November, Canadian authorities arrested the hacker behind the compromise of 165 firms' Snowflake instances, who had demanded ransoms ranging from $300,000 to $5 million. And, in December, Israeli law enforcement arrested a 51-year-old LockBit developer in Israel.

Related:Can AI & the Cyber Trust Mark Rebuild Endpoint Confidence?

While law enforcement efforts are having an impact on cybercriminal operations, their efforts appear to be fracturing the ecosystem, as more groups and a greater number of providers offer cybercriminal services, says Christiaan Beek, senior director of threat analytics for Rapid7.

"Law enforcement is really fighting hard to take on the biggest groups \[that are causing businesses\] a lot of problems, and we highly applaud those initiatives," he says. "But the money is really attracting people, and especially if you are in certain countries where you're hard to catch or protected by the government ... then \[becoming a ransomware operator\] almost feels like a safe option."

**Paying Ransoms Is No Guarantee of Cyber Safety**

Estimates of the ransom amounts paid by companies varied significantly, with ransomware specialist Coveware estimating that the victims paid a median of $200,000 in Q3 2024, while a survey of more than 2,500 companies conducted by the Ponemon Institute estimated the average ransom demanded to be $1.2 million.

And those figures do not include investigation and clean up costs, Illumio's Dearing says.

"There was almost a doubling in the \[share of companies\] that lost significant revenue, and that reflects something that we're seeing across the board — both from financially motivated ransomware attackers, nation-states, or hacktivists — they are just trying to disrupt things," he says, adding, "Organizations need to think a lot more about incident response, about containing attacks, about trying to make sure that they actually stay in business if there's an attack."

Related:PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?

The survey also found that paying a ransom rarely solves the problem of lost data nor ends the targeting by attackers. Half of all companies (51%) suffered a ransomware attack in 2024, but less than half received a decryption key, and the attacker demanded more money in a third of cases. In the end, only 13% of companies eventually recovered all of their data, according the Ponemon Institute report.

**Plan for Alternate Operations for Business Continuity**

Early detection and a plan to continue operations in the face of disruption matter most when it comes to minimizing the impact of a cyberattack. Of the companies that did not pay a ransom, nearly half had backups from which they could recover data, while a similar number deemed the data not important enough to pay the ransom.

In the best case scenario, companies can quickly move to cloud operations — or another plan for business continuity — giving them the best chance of recovering without drastic impacts, Rapid7's Beek says.

"We saw one company flip the switch, and suddenly the whole business was running on cloud resources while they were restoring the day-to-day operations," he says. "So the ransomware incident hardly impacted the business."

Companies that have a lack of visibility into — and a lack of security controls protecting — their networks face the most damaging disruption, says Illumio's Dearing.

"Things that allow lateral movement within organizations — like unpatched systems and weak passwords and open RDP ports — help attackers," he says. "So there's an amount of basics that companies need to take."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#auth