Cybersecurity Today: Teenage Ransomware Arrest in Day Care Ransom

Host: Jim Love
Date: October 10, 2025

Episode Overview

In this episode, Jim Love breaks down a dramatic week in cybersecurity, highlighting the arrest of teenagers involved in a shocking ransomware attack against a preschool network, active exploitation of critical software vulnerabilities, and new AI threats putting everyday users at risk. The tone is urgent and informative, underscoring the real-world consequences of cybersecurity failures—particularly when social boundaries are crossed.

Key Discussion Points & Insights

1. Teenage Ransomware Arrest in Day Care Attack

[00:01–03:10]

• London police arrested two 17-year-olds suspected of carrying out a “disgusting ransomware attack” against Kiddo International, a preschool and daycare provider with global operations.
• Attackers posted sensitive data—photos, names, home addresses, and parent contact info—for ten children online, threatening to release more unless a ransom was paid.
• The gang, self-identified as “The Radiant Group,” was condemned by other cybercriminal groups, leading to the deletion of the exposed data.
• Quote:
  “Even in the criminal underworld, many hackers drew a line, calling the use of children's data for extortion unacceptable.”
  — Jim Love [01:55]
• Kiddo International welcomed swift police action and promised ongoing support for affected families.
• The police called the arrests "a major step forward," but stressed that the investigation is ongoing.
• Memorable Moment:
  Jim Love reflects on the boundaries even within criminal communities:
  “It's a chilling reminder that some crimes are so vile that that even other hackers refuse to look the other way.” [02:50]

2. Ransomware Exploiting GoAnywhere File Transfer Server Flaws

[03:11–05:10]

• Microsoft and CISA are warning about active exploitation of a critical vulnerability in GoAnywhere MFT servers (CVE-2024-0204).
• The flaw allows unauthenticated remote code execution via the admin console, impacting organizations in finance, healthcare, and government.
• Ransomware groups linked to Clop are exploiting unpatched systems, directly leading to data breaches and ransomware deployments.
• A prior, similar zero-day in 2023 affected over 130 companies.
• Administrators are urged to:
  • Patch immediately
  • Disable external admin portal access
  • Review logs for compromise
• Quote:
  “It's another example of how trusted tools for secure transfer can become the attacker's doorway if they're left unpatched.”
  — Jim Love [05:07]

3. CISA Warns of Old Windows Privilege Escalation Vulnerability

[05:11–06:35]

• CVE-2021-43226, a Windows flaw patched back in December 2020, is being actively exploited.
• The vulnerability lets attackers with local access obtain full system control via the Common Log File System driver.
• CISA has mandated patching by October 27, urging organizations to verify they run the latest cumulative updates:
  • KB582.15 for Windows 11
  • KB508,223 for Windows Server 2022
• Key Tip:
  Confirm compliance and scan for any drift from secure versions.

4. AI Risk: Google Gemini’s “Invisible Prompt” Vulnerability

[06:36–09:18]

• Researchers discovered a vulnerability in Google’s Gemini AI, dubbed ASCII smuggling, allowing invisible prompts to trigger malicious LLM behavior.
• Attackers hide Unicode in emails or webpages (e.g., white-on-white fonts or font size zero), which humans can't see but Gemini processes as instructions.
• Examples of risk:
  • Malicious email instructing Gemini to search inbox and exfiltrate sensitive data.
  • Hidden payloads within websites, leading LLMs to deliver malicious links or data.
• Quote (researcher Victor Markopoulos):
  “A simple email with hidden commands can instruct the LLM to search the inbox for sensitive items or send contact details, turning a standard phishing attempt into an autonomous data extraction tool.” [08:07]
• Google does not consider this a flaw and will not patch it.
• Recommendations:
  • Restrict Gemini’s access to sensitive tools.
  • Sanitize text to strip invisible characters.
  • Treat AI-generated content with skepticism until resolved.
• Memorable Moment:
  “A few invisible characters are all it takes to turn a helpful assistant into a data exfiltration agent. And until vendors fix it, and they should, defenders must close that gap themselves.”
  — Jim Love [09:17]

Notable Quotes & Memorable Moments

• “Even in the criminal underworld, many hackers drew a line, calling the use of children's data for extortion unacceptable.” [01:55]
• "It's a chilling reminder that some crimes are so vile that that even other hackers refuse to look the other way." [02:50]
• “It's another example of how trusted tools for secure transfer can become the attacker's doorway if they're left unpatched.” [05:07]
• "A few invisible characters are all it takes to turn a helpful assistant into a data exfiltration agent. And until vendors fix it, and they should, defenders must close that gap themselves." [09:17]

Timestamps for Key Segments

• 00:01–03:10: Arrest of teenage ransomware operators after day care breach
• 03:11–05:10: GoAnywhere MFT vulnerability and ransomware risk
• 05:11–06:35: Resurgence of patched Windows privilege escalation flaw
• 06:36–09:18: Google Gemini LLM’s invisible prompt flaw and AI-driven phishing risk

Closing

Jim Love wraps up by reminding listeners of the immediacy and seriousness of these threats, encouraging prompt patching and vigilance. He notes the absence of a Monday show due to Canadian Thanksgiving, with a special weekend edition planned.

This episode highlights cybersecurity’s ever-evolving landscape—where even criminals have boundaries, and where both old and new vulnerabilities can have life-changing impacts if left unaddressed.