Cyber Security Headlines: Week in Review – Oct 10, 2025
Episode Theme Overview
This week’s episode of Cyber Security Headlines, hosted by the CISO Series team, dives into critical issues impacting infosec professionals: the creative evolution of ransomware through crowdsourcing, looming challenges around end of support for Windows 10, and a groundbreaking California law that enables consumers to universally opt-out of data sharing. Guests Dustin Sachs (Chief Technologist, Cyber Risk Collective) and Mike Lockhart (CISO, Eagle View) lend their insight and wit, exploring how these developments shape security, compliance, and privacy.
Main Stories and Key Discussion Points
1. Crowdsourced Ransomware: “Scattered Lapsus Hunters”
[02:03–10:35]
Topic Summary:
A new trend in ransomware: “Scattered Lapsus Hunters,” a threat group, is crowdsourcing harassment against breached company executives, offering $10 bounties in Bitcoin for individuals willing to pester victims’ execs—upping the reward for creatively disruptive behavior. Instead of solely leveraging technical exploits, this group is mobilizing low-cost, large-scale social engineering and harassment from anonymous internet users.
Key Points & Insights:
- Ransomware’s Evolution:
- Tactics now include public participation (“Kickstarter for ransomware,” per Host [02:19]).
- The bar for what makes a ransomware campaign notable has risen—creativity and low barrier to entry are key factors.
- Tactical Impact:
- Targeted harassment via email is orchestrated without traditional IOC footprints, making incident response and mitigation far more complex ([07:02] Dustin: “How do I block against the Internet…you can’t block every email address…all your bases are ours.”).
- Traditional security controls are easily circumvented—SOC teams must anticipate a much wider set of threat vectors.
- Social Engineering Risk:
- This model taps into economic desperation and disaffection (“CIA’s MICE model: Money, Ideology, Conscience, Ego” – [05:49] Mike).
- Risk landscape now demands enhanced employee awareness and robust cultural controls.
- Threat Actor Ecosystem:
- Increasing collaboration and “supergroup”-like alliances among threat actors, making attacks resemble nation-state capabilities ([09:19] Host).
- Memorable Quotes:
- “[Crowdsourcing harassment for pocket change bounties.] Should we be treating these as social engineering campaigns at this point rather than just a pure ransomware operation?” – [05:04] Host
- “This is a really creative way of…setting up a scenario where there are no IOCs anymore.” – [07:02] Dustin
- “Teenagers truly undefeated at being annoying.” – [10:30] Host
2. California Universal Opt-Out Privacy Law
[10:40–17:53]
Topic Summary:
California’s new law mandates that browsers provide a simple universal opt-out for data sharing and strengthens data broker regulations and data deletion upon account deletion.
Key Points & Insights:
- Scope and Impact:
- The law, effective 2027, broadens the California Consumer Privacy Act (CCPA) and aims to make privacy choices accessible with “one click” ([10:40] Host).
- Social media and data brokers face heightened obligations for user deletion and data disclosure.
- Optimism and Realism:
- Seen as a meaningful step toward giving users sovereignty over their data ([11:38] Dustin).
- Implementation challenges loom; both legal and technical hurdles noted ([12:48] Mike: “Whether that opportunity is realized or not is the $65,000 question.”).
- Legal and National Implications:
- Unclear legal standing over what constitutes “public data” online ([13:51] Mike).
- Potential to serve as a forcing function for national privacy standards or inspire patchwork regulations in other states ([15:33] Host).
- Market and Tech Reactions:
- Ad tech and analytics industry will need new strategies ([12:48] Mike).
- Concern over the feasibility and genuine enforceability, referencing failures like the “Do Not Call” registry ([17:53] Dustin).
- Notable Quotes:
- “A universal one click opt out of data sharing gives part…We could shut down ad tech economy with just a single click.” – [10:53] Host
- “Privacy is dead. And to a large degree that is a truthful statement. But there does need to be a balance…we are in a privacy deficient world…this is an opportunity to balance that.” – [16:45] Mike
3. Windows 10 End of Life: Looming Risks and Costs
[03:18–04:33], [27:15–35:42]
Topic Summary:
Hundreds of millions of business endpoints worldwide remain on Windows 10, even as end of support (October 14, 2025) and rising costs for continued security updates approach. The hardware requirements of Windows 11 mean many devices simply cannot upgrade.
Key Points & Insights:
- Scale of the Problem:
- Of 1.4 billion Windows devices, 275 million+ in corporations may not meet upgrade deadlines; many are in critical sectors like manufacturing and healthcare.
- Business Decision Matrix:
- Businesses must weigh the cost of hardware refreshes, security update subscriptions, and operational impacts ([27:15] Mike).
- For most enterprises, failure to plan for this is a “dereliction of duty.”
- Personal and Societal Risks:
- Many end users and SMBs face substantial economic hurdles, exposing them to security threats ([28:40] Mike).
- The disproportionate impact on vulnerable populations, such as elderly users, highlights a lack of corporate responsibility ([34:28] Mike).
- Regulatory Pressure:
- Critical infrastructure and regulated sectors may face compliance failures, fines, or business limitations ([32:53] Dustin).
- Historical Patterns:
- Each Windows EOL cycle brings last-minute scramble and reactive, not proactive, risk management.
- Notable Quotes:
- “For the general enterprise: pay up, upgrade, get it done. If you don’t, it is, to a degree, a dereliction of duty.” – [28:21] Mike
- “End of life…is a fundamental and foundational skill that every security function…has to have, but it also has to be part of the larger corporate risk conversation…” – [31:18] Mike
- “How do I explain to my 75-year-old aunt…that she has to spend [money] on a new system now?” – [34:28] Mike
4. Honeypots vs. Hacktivists: Old Tactics, New Context
[19:14–25:45]
Topic Summary:
Pro-Russian hacktivists targeted a supposed water treatment facility, which turned out to be a realistic honeypot, providing invaluable intelligence without endangering critical infrastructure.
Key Points & Insights:
- Innovation in Defensive Tactics:
- Honeypots can offer speed bump functions and “psychological wins” by wasting attackers’ efforts ([24:23] Host).
- Opportunity for defenders to study attack techniques in detail ([22:49] Mike).
- Learning Opportunity:
- If well-executed (realistic, high-fidelity decoys), honeypots generate valuable after-action insights to strengthen actual defenses ([21:20] A, [22:49] Mike).
- Psychological Impact on Attackers:
- Raises attackers’ operational risk; flips the pressure so they are not “invincible” ([25:07] Steve), and delivers “egg on their face” moments ([22:49] Mike).
- Notable Quotes:
- “[This is] a great example of how to adapt honeypots and methodologies to get better intelligence… the real benefit here is understanding ways… to create honeypots that are realistic, that will be attractive targets…” – [20:38] Mike
- “Script flipped a little bit on them…they ended up not being right.” – [23:59] Dustin
- “It’s buying McDonald’s coffee and being surprised that it was hot.” – [25:22] Dustin
Notable Moments and Quotes
- On ransomware crowdsourcing:
- “We’re now at Kickstarter ransomware.” – [02:19] Host
- “Teenagers, truly undefeated at being annoying.” – [10:30] Host
- On legal patchwork and privacy:
- “What you’re saying is we need a patchwork of state privacy laws so it makes such a mess that the feds have to step in?” – [19:14] Host
- On Windows EOL:
- “We keep doing the same things every time and every time we say we’ll do it better next time and fail to do it better next time.” – [30:33] Dustin
- On honeypot takedowns:
- “Bleep around and find out. That’s brilliant.” – [25:27] Host
Timestamps for Important Segments
- Episode Intro & Main Stories Recap – [00:06–02:03]
- Crowdsourced Ransomware Discussion – [02:03–10:35]
- California Universal Opt-Out Law – [10:40–17:53]
- Honeypot/Pro-Russian Hacktivist Takedown – [19:14–25:45]
- Windows 10 EOL and Business/User Impact – [27:15–35:42]
Tone and Takeaways
Lively, insightful, and laced with humor, this episode balances optimism with realism. It highlights the ceaseless innovation (both malicious and defensive) in cybersecurity, the challenges of aligning legislation with rapid tech change, and the importance of planning and advocacy—whether you’re updating endpoints or pushing for user privacy.
For further reading and full stories, visit CISOseries.com.