Ransomware costs billions, cybercrime leads to real violence, three arrested for hacking tools - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – December 9, 2025

Host: Lauren Verno, CISO Series
Main Theme:
A review of the most urgent cyber threats and notable developments, from monumental ransomware payouts and cybercrime fueling physical violence to evolving spyware, major breaches, and shifting privacy in the EU.

Main Themes and Episode Purpose

Escalating Financial Impact of Ransomware: Billions lost in the past year alone—with certain groups and sectors targeted disproportionately.
Cybercrime’s Real-World Violence: How cyber operations are increasingly facilitating or driving physical attacks.
Arrests and Crackdowns: Law enforcement efforts to address hacking tool possession and malware-fueled financial fraud.
Persistent Vulnerabilities and Regulatory Shifts: Both AI and US/EU data privacy regimes highlight the limits of technological and legal controls.
Malware Evolution: New threats in mobile spyware.
Major Data Breaches: A look at how lapses in basic security hygiene can have nationwide impact.

Key Discussion Points and Insights

1. Ransomware Costs Top $4.5 Billion

Timestamps: [00:16]–[01:15]
Details:
- Payments reported to the US Treasury's FinCEN have surpassed $4.5 billion, with 2023 as the costliest year.
- Akira ransomware: most incidents.
- BlackCat: received the largest single group haul (nearly $400M).
- Hardest hit: Financial services, manufacturing, healthcare.
- "Most ransom demands stayed under $250,000." – Lauren Verno [00:55]
Key Quote:

“Ransomware payments reported to the U.S. treasury's Financial Crimes Enforcement Network have now topped $4.5 billion, with 2023 standing out as the most expensive year on record.” – Lauren Verno [00:22]

2. Cybercrime Networks Orchestrating Physical Violence

Timestamps: [01:15]–[02:07]
Details:
- Europol's Operation Grim: Nearly 200 arrests (including minors) tied to “violence as a service” networks.
- Teens groomed to carry out attacks—includes contract killings and a triple shooting in the Netherlands.
- Some groups, e.g. The .Com, known for sim swapping/extortion, now linked to deadly violence.
Key Quote:

“This is one of those stories where I triple checked my sources.” – Lauren Verno [01:15]
“Violence as a service networks groom teens to commit attacks.” – Lauren Verno [01:22]

3. Arrests for Possession of Hacking Tools

Timestamps: [02:07]–[02:55]
Details:
- Polish police arrested three Ukrainian nationals with gear (Flipper Zero, laptops, SIM cards, etc.).
- Crucial: charges are for “potential misuse,” not actual attacks.
- They face counts of fraud, computer fraud, and possession of tools intended for criminal use.
Key Quote:

“Authorities say the men could not explain why they were carrying the tools…” – Lauren Verno [02:29]

4. Russian Crackdown on Malware Stolen Funds

Timestamps: [02:55]–[03:49]
Details:
- Russian police dismantled a gang that used NFC Gate-based malware for ATM and banking fraud (over $2.6M stolen).
- Technique: tricking users into installing fake bank apps, harvesting card data through NFC, draining accounts.
- Russian security firms say up to $18 million stolen via this method to date.
Key Quote:

“Attackers drain ATMs nationwide without the cardholder present.” – Lauren Verno [03:23]

5. Major US Fintech Breach: Marquee Software

Timestamps: [04:39]–[05:31]
Details:
- Hack of Marquee Software Solutions (fintech provider for 700+ institutions).
- Caused by an unpatched SonicWall firewall vulnerability—PII theft for up to 780,000 customers and impact across 74 banks/CUs.
- Mitigation efforts included late patching and password changes, with implied preventability.
Key Quote:

“There were some comments about how this attack could have been avoided…” – Lauren Verno [04:51]

6. AI Models May Never Be Secure – UK NCSC Warning

Timestamps: [05:31]–[06:14]
Details:
- UK’s National Cybersecurity Centre states that prompt injection (where LLMs can’t reliably distinguish data from code) is a fundamental flaw.
- Even with industry efforts, full protection seems unachievable.
Key Quote:

“Large language models like ChatGPT have a fundamental flaw that could let attackers hijack them…” – Lauren Verno [05:37]

7. New Android Spyware Threat: Clayrat

Timestamps: [06:14]–[06:59]
Details:
- Klayrat spyware evolves: now logs PINs, records screens, blocks deletion, fakes overlays.
- Over 700 malicious APKs distributed via phishing and fake apps.
Key Quote:

“Attackers can gain total control of infected devices.” – Lauren Verno [06:46]

8. Meta Allows More Private Data Use for EU Users

Timestamps: [06:59]–[07:39]
Details:
- In response to EU regulatory fines, Meta will soon let Facebook/Instagram users opt to share less data and get less personalized ads.
- First time users choose explicitly how much data is shared.
Key Quote:

“This is the first time the company has offered users a choice over how much data they share.” – Lauren Verno [07:28]

Notable Quotes & Memorable Moments

Host Verification on Real-World Violence:

“This is one of those stories where I triple checked my sources.” – Lauren Verno [01:15]
On AI Security Hand-waving:

“The UK's National Cybersecurity center warned that large language models like ChatGPT have a fundamental flaw that could let attackers hijack them, known as prompt injection. You all know that the issue arises because LLMs treat all input as instructions, making it impossible to fully separate safe data from commands.” – Lauren Verno [05:31]

Timestamps for Key Segments

| Segment | Timestamp | |--------------------------------------------|--------------| | Ransomware costs report | 00:16–01:15 | | Violence-as-a-service networks busted | 01:15–02:07 | | Hacking tools arrests in Poland | 02:07–02:55 | | Russian malware ATM scam crackdown | 02:55–03:49 | | Major Marquee Software data breach | 04:39–05:31 | | UK's warning on AI prompt injection | 05:31–06:14 | | New Klayrat Android spyware | 06:14–06:59 | | Meta EU privacy compliance | 06:59–07:39 |

Conclusion

This episode highlights the sheer scope and evolution of modern cyber threats:

Ransomware payouts are ballooning and targeting key sectors.
Traditional cybercrime is morphing into very real world violence.
Law enforcement and regulators are scrambling to keep up—from seizing hacking tools to reining in tech behemoths like Meta.
The arms race continues as attackers develop more sophisticated malware and exploit fundamental tech flaws, while defenders admit some vulnerabilities may never be fully solved.

Rich in succinct stories and laced with urgency, Lauren Verno ties together the day’s biggest cybersecurity headlines with clarity and a sense of how quickly the landscape is shifting.

Loading summary

Transcript16 lines

[00:00]
A
From the CISO series, it's Cybersecurity headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, December 9, 2025. I'm Lauren Verno.
[00:17]
Ransomware payments pass 4.5 billion.
[00:23]
Ransomware payments reported to the U.S. treasury's Financial Crimes Enforcement Network, or FinCEN, have now topped $4.5 billion, with 2023 standing out as the most expensive year on record. More than 2.1 billion was paid between 2022 and 2024, including 1.1 billion in 2023 alone. Akira accounted for the most reported incidents, but Black Cat took in the biggest haul with with nearly $400 million in payments. Financial services, manufacturing and healthcare remained the hardest hit sectors, and most ransom demands they did stay under $250,000.
[01:15]
Cybercrime networks orchestrate real World Violence this is one of those stories where I triple checked my sources. Europol's Operation Grim has arrested nearly 200 people, including minors, over the past six months for involvement in contract killings and other violent crimes orchestrated online. The operation targets, quote, violence as a service networks that grooms teens to commit attacks. Cases include two attempted murder plots and a triple shooting that killed two three people in the Netherlands earlier this year. Investigators say the activity is tied to cybercrime groups like the. Com, who are more commonly known for their sim swapping and extortion scams.
[02:08]
Three arrested over Possessing Hacking Tools Polish police arrested three Ukrainian nationals after finding them with hacking and surveillance equipment like Flipper zero devices, laptops, portable hard drives, SIM cards and signal detectors. Now, authorities say the men could not explain why they were carrying the tools and allege the equipment could have been used to target critical IT systems in Poland. Now, police also emphasize that the charges stem from the potential for misuse of the tools, not confirmed damage or breaches. The individuals now face charges of fraud, computer fraud and possession of devices intended for criminal activity.
[02:56]
Russian Crackdown on Malware Scam.
[03:00]
Russian police say they've taken down a crew that stole more than 200 million rubles. That's about $2.6 million using malware built on NFC Gate, an open source tool now popular among financial cybercriminals. According to the Interior Ministry, the group tricked victims into installing fake banking apps, then harvested card data by having them tap their cards to their phones, letting attackers drain ATMs nationwide without the cardholder present. Russian security firm F6 estimates at least 1.6 billion rubles, about $18 million has been stolen using this specific scheme.
[03:49]
Huge thanks to today's episode sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Attackers don't need malware anymore, they need trust. Tip Self set a simple passphrase for high risk actions like wire requests or urgent account recovery, especially within finance teams and families. If the caller can't answer it, pause and verify. Adaptive runs deepfake in vishing simulations so employees practice this before it's real. To learn more, head to adaptivesecurity.com that's adapted. Com.
[04:40]
Marquee software breach hit 780,000 customers Texas based fintech provider Marquee Software Solutions, which works with over 700 banks and credit unions across the US said they were hacked due to an exploited sonic firewall vulnerability. Now, at least 74 banks and credit unions were impacted, with typical PII being stolen, though there were some comments about how this attack could have been avoided in the first place, as the list of remediation efforts from the company included patching firewall devices, changing passwords and adding VPN lockout rules. UK warns AI models may never be secure well, duh.
[05:32]
The UK's National Cybersecurity center warned that large language models like ChatGPT have a fundamental flaw that could let attackers hijack them, known as prompt injection. You all know that the issue arises because LLMs treat all input as instructions, making it impossible to fully separate safe data from commands. Researchers have shown this can be exploited in development tools, browser agents and other AI integrations. While companies like OpenAI and Anthropic are trying fixes, the NCSC says these vulnerabilities may never be completely solved.
[06:15]
Clayrat spyware evolves.
[06:19]
A new version of the Klayrat Android spyware is out, and it's a big leap from the strain first spotted in October. According to Zimperium. The malware now abuses accessibility services to log pins and passwords, record the entire screen, spoof app overlays, and even block users from deleting it, giving attackers your total control of infected devices. Researchers have already found more than 700 malicious APKs tied to the campaign spread through phishing sites and lookalike apps impersonating services like YouTube and regional taxi tools.
[07:00]
Meta lets EU users share less data the European Commission approved Meta's plan to give Instagram and Facebook users in the EU the choice to share less personal data and see fewer personalized ads starting in January. The move follows a 200 million euros fine earlier this year for violating the Digital Markets Act. Meta says the changes make the privacy option more transparent through updated wording and design. This is the first time the company has offered users a choice over how much data they share.
[07:40]
Are you subscribed to the CISO series on YouTube? We're trying to reach 10,000 subscribers before the end of the year, so we'd love it if you could check out what our channel is all about. We've got daily shorts about the news of the week, original interviews, our department of no live stream demos, and more. Be sure to find the ciso series on YouTube and check out what we're all about. And if you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Lauren Verno reporting for the CISO series.
[08:22]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines Sam.