Ransomware Payments Drop:Cyber Security Today for Monday, February 10, 2025 - Cybersecurity Today

Summary

Cybersecurity Today: Ransomware Payments Drop and Treasury's Doge Access Crisis

Host: Jim Love | Release Date: February 10, 2025

1. Significant Decline in Ransomware Payments

In the latest episode of Cybersecurity Today, host Jim Love delves into a pivotal shift in the ransomware landscape. Global ransomware payments experienced a notable 35% decrease in 2024, plummeting to $813 million from the previous year's record high of $1.25 billion. This downturn signifies a major turning point in how organizations are responding to cyber extortion.

Jim highlights that this reduction is not merely a result of enhanced cybersecurity defenses but also reflects a growing resistance among victims to comply with hackers' demands. "The decline represents more than just improved defenses. It signals a growing resistance to paying ransoms," Jim states at [02:15]. This sentiment is echoed by Jacqueline Burns Coven, Head of Cyber Threat Intelligence at Chainalysis, who notes, "For years now, the cybersecurity landscape seemed hurtling towards a so-called ransomware apocalypse."

Several factors contribute to this decline:

Law Enforcement Actions: Significant operations against notorious ransomware groups like Lockbit and Black Cat Alfie have disrupted their operations. Jim observes, "The drop was particularly sharp in the second half of 2024 following major law enforcement actions against the notorious ransomware groups."
International Collaboration: Enhanced cooperation between nations has strengthened the global response to cyber threats, making it harder for ransomware groups to operate with impunity.
Victim Resistance: Organizations are increasingly refusing to give in to ransom demands, reducing the financial incentive for attackers. Actual payments are now 53% lower than the amounts demanded by cybercriminals.

Despite these positive trends, Jim cautions that the situation remains fragile. While ransomware payments have decreased, the number of reported incidents on dark web leak sites has reached an all-time high, indicating that attackers are pivoting their tactics and targeting organizations less likely to comply financially.

2. Treasury's Doge Access Sparks National Security Concerns

Transitioning to a more alarming topic, Jim discusses the national security crisis emerging from the Treasury Department's decision to grant read-only access to its payment systems to two employees from Doge. This move has raised significant red flags within the intelligence community.

Key points include:

Unauthorized Access: In January of the current year, Treasury Secretary Scott Besant authorized read-only access for two Doge employees. This decision quickly led to concerns about potential insider threats.
Questionable Backgrounds: One of the Doge members, Edward Korostein, a 19-year-old previously fired from Path Network for leaking company secrets, was granted access. Jim emphasizes the severity by quoting a federal judge from Manhattan: "A preliminary injunction barring Doge from accessing treasury databases containing personally identifiable information."
Controversial Reports: A subcontractor for Booz Allen Hamilton authored a draft report warning about the security risks posed by Doge's access. However, Booz Allen swiftly dismissed the subcontractor, stating, "The draft report contained unauthorized personal opinions that are not factual or consistent with our standards." Jim reacts strongly to this, exclaiming at [15:40], "Oh my God. If you trust the report from Booz Allen after that, I'm just sorry for you."

The broader implications are particularly dire for intelligence operations. The Treasury's payment systems contain sensitive information about payments to human intelligence sources working for agencies like the CIA and the DIA. Exposure of this data could endanger lives of assets operating both domestically and internationally.

3. The Perils of Untested Backup Systems

In another segment, Jim shares a cautionary tale from a recent column in The Register, illustrating the dangers of relying on unverified backup systems. The story revolves around Lionel, a senior developer and help desk technician who discovered critical flaws in his organization's backup procedures.

Highlights of the story include:

Neglected Verification: Lionel inherited the responsibility of managing backups for a mainframe software development team. He found that his predecessor, Richard, had been performing daily backups onto 8mm tapes without ever verifying their integrity. When questioned, Richard admitted, "My job was to ensure backups were taken, not to check whether they were usable."
Disastrous Discoveries: Upon attempting a test restore, Lionel discovered that the tapes were unreadable, rendering years of data backups useless. His efforts to replace the faulty backup recording device led to partial recovery of the archive, but he faced backlash for the additional expenses incurred.

Jim passionately underscores the importance of reliable backup systems, stating at [25:30], "When you order a backup, it should come with recovery included. It shouldn't be an extra." He lauds those who prioritize restoration capabilities over mere backup creation, emphasizing that "all that counts are restores."

4. Final Thoughts and Recommendations

Wrapping up the episode, Jim Love reiterates the critical nature of robust cybersecurity practices. The decline in ransomware payments is a positive development, but the persistent threats and emerging vulnerabilities, such as those highlighted in the Treasury's Doge access issue and untested backup systems, underscore the need for continuous vigilance.

Key Takeaways:

Maintain Rigorous Backup Protocols: Ensure that all backups are regularly tested for integrity and recoverability to prevent data loss during cyber incidents.
Strengthen Access Controls: Limit and monitor access to sensitive systems, especially for individuals with questionable backgrounds, to mitigate insider threats.
Foster Law Enforcement Collaboration: Support and advocate for international cooperation in combating ransomware groups to sustain the downward trend in ransomware payments.

Jim encourages listeners to stay informed and proactive in their cybersecurity measures, emphasizing that prevention and preparedness are paramount in an increasingly risky digital landscape.

For more insights, discussions, and updates on the latest cybersecurity threats, tune into future episodes of Cybersecurity Today with host Jim Love.

Transcript

Jim Love (0:00)

Ransomware payments dropped 35% in 2024 as victims resist hackers demands. Treasury's Doge access sparks a national security crisis as contractors sound the alarm. And will you have recovery with that? This is Cybersecurity Today. I'm your host Jim Love. Global ransomware payments plummeted to 813 million in 2024, down from 2023's record high of 1.25 billion, marking a significant shift in the cybersecurity landscape. The decline comes despite high profile attacks on organizations like Krispy Kreme and NHS Trusts, suggesting a turning point in how victims respond to digital extortion. The drop was particularly Sharp in the second half of 2024 following major law enforcement actions against the notorious ransomware groups like Lockbit and Black Cat alfv. For years now, the cybersecurity landscape seemed hurtling towards a so called ransomware apocalypse, according to Jacqueline Burns Coven, head of Cyber Threat Intelligence at Chainalysis. According to new data from Chainalysis, the drop was particularly Sharp in the second half of 2024 following major law enforcement actions against notorious ransomware groups like Lockbit and Black Cat Alfie. The decline represents more than just improved defenses. It signals a growing resistance to paying ransoms, with actual payments running 53% lower than amounts demanded by attackers. The sharp decline speaks to the effectiveness of law enforcement actions, improved international collaboration and a growing refusal by victims to cave into attackers demands. The shift has reshaped the ransomware ecosystem with newer groups targeting smaller organizations for more modest sums. However, experts warn that the progress remains fragile. While payments are down, the number of reported incidents on dark web leak sites hit an all time high, suggesting attackers are simply finding fewer victims willing to pay. Others have warned that it's only a matter of time until ransomware groups reassemble or are replaced by other large players. Man, I try to stay away from politics, but this is one of the biggest security exposures in US history and we have to cover it. The crisis began when Treasury Secretary Scott Besant granted two Doge employees read only access to the department's payment system in January of this year. The decision immediately triggered alarm bells across the intelligence community, culminating in a federal judge in Manhattan issuing a preliminary injunction barring Doge from accessing treasury databases containing personally identifiable information. The situations grew more complex as details emerged about the Doge team members backgrounds. Edward Korostein, a 19 year old doge member, was previously fired from Path Network for leaking company secrets. According to Bloomberg News, Korstein later bragged on discord about retaining access to his former employer systems, stating that he had access to every single machine but never exploited it because it's just not me. Adding to the controversy, Booze Allen Hamilton dismissed a subcontractor who authored a draft report warning that Doge's access posed an unprecedented insider threat risk to government secrets. The draft report was prepared by a subcontractor to Booz Allen and contained unauthorized personal opinions that are not factual or consistent with our standards, the company stated Friday night, announcing that they would seek to have the report amended or retracted. Oh my God. If you trust the report from Booz Allen after that, I'm just sorry for you. The broader implications of this security breach are particularly concerning for intelligence operations. The Treasury Department payment systems contain sensitive information about payments to human intelligence sources working for the CIA and the dia. These assets, operating both domestically and abroad, could face life threatening risks if their identities were exposed through the payment data. A recent on call column from the Register told a story about the dangers of untested backup systems. A senior developer and help desk technician, we'll call him Lionel, inherited responsibility for managing backups for a mainframe software development team. What he uncovered was a ticking time bomb. His predecessor, we'll call him Richard, had been diligently performing daily backups onto 8 millimeter tapes, but he had never once verified them. Richard, when challenged, said his job was to ensure backups were taken, not to check whether they were usable. And he had checked that they had indeed completed successfully. So Lionel attempted a test restore and he found the tapes unreadable. Years of backup had been rendered useless due to a lack of maintenance. And sadly, the story rings so true when Lionel did manage to get a replacement for the now useless backup recording device and at least to recover some of the backup archive, he was not rewarded. He was questioned for the additional expense. Now, if this seems like fiction, you've never been in a data center watching a restore when the tape whips by in less than a minute because it's blank or you've never gotten caught where a supposed fail proof backup was missing a critical component which made the backup unrestorable for years after that. This person, let's call him Jim, insisted on surprise inspections where at any time the staff could be asked to restore any of our systems to a functional state. And I am sure that they got very tired of hearing Jim's line that backups were useless. All that counts are restores. So if this is what you're doing, I salute you. I hope you didn't have to learn the hard way but if you think this is overkill, I can only say I hope you never have to learn the hard way. But I won't feel sorry for you. When you order a backup, it should come with recovery included. It shouldn't be an extra. And that's our show. You can reach me with comments, questions or stories of your experience at editorialechnewsday cat or on LinkedIn. Or if you're watching this on YouTube, just leave a comment under the video. I'm your host, Jim Love. Thanks for listening.