Cybersecurity Today: Teenage Ransomware Arrest in Day Care Ransom
Host: Jim Love
Date: October 10, 2025
Episode Overview
In this episode, Jim Love breaks down a dramatic week in cybersecurity, highlighting the arrest of teenagers involved in a shocking ransomware attack against a preschool network, active exploitation of critical software vulnerabilities, and new AI threats putting everyday users at risk. The tone is urgent and informative, underscoring the real-world consequences of cybersecurity failures—particularly when social boundaries are crossed.
Key Discussion Points & Insights
1. Teenage Ransomware Arrest in Day Care Attack
[00:01–03:10]
- London police arrested two 17-year-olds suspected of carrying out a “disgusting ransomware attack” against Kiddo International, a preschool and daycare provider with global operations.
- Attackers posted sensitive data—photos, names, home addresses, and parent contact info—for ten children online, threatening to release more unless a ransom was paid.
- The gang, self-identified as “The Radiant Group,” was condemned by other cybercriminal groups, leading to the deletion of the exposed data.
- Quote:
“Even in the criminal underworld, many hackers drew a line, calling the use of children's data for extortion unacceptable.”
— Jim Love [01:55] - Kiddo International welcomed swift police action and promised ongoing support for affected families.
- The police called the arrests "a major step forward," but stressed that the investigation is ongoing.
- Memorable Moment:
Jim Love reflects on the boundaries even within criminal communities:
“It's a chilling reminder that some crimes are so vile that that even other hackers refuse to look the other way.” [02:50]
2. Ransomware Exploiting GoAnywhere File Transfer Server Flaws
[03:11–05:10]
- Microsoft and CISA are warning about active exploitation of a critical vulnerability in GoAnywhere MFT servers (CVE-2024-0204).
- The flaw allows unauthenticated remote code execution via the admin console, impacting organizations in finance, healthcare, and government.
- Ransomware groups linked to Clop are exploiting unpatched systems, directly leading to data breaches and ransomware deployments.
- A prior, similar zero-day in 2023 affected over 130 companies.
- Administrators are urged to:
- Patch immediately
- Disable external admin portal access
- Review logs for compromise
- Quote:
“It's another example of how trusted tools for secure transfer can become the attacker's doorway if they're left unpatched.”
— Jim Love [05:07]
3. CISA Warns of Old Windows Privilege Escalation Vulnerability
[05:11–06:35]
- CVE-2021-43226, a Windows flaw patched back in December 2020, is being actively exploited.
- The vulnerability lets attackers with local access obtain full system control via the Common Log File System driver.
- CISA has mandated patching by October 27, urging organizations to verify they run the latest cumulative updates:
- KB582.15 for Windows 11
- KB508,223 for Windows Server 2022
- Key Tip:
Confirm compliance and scan for any drift from secure versions.
4. AI Risk: Google Gemini’s “Invisible Prompt” Vulnerability
[06:36–09:18]
- Researchers discovered a vulnerability in Google’s Gemini AI, dubbed ASCII smuggling, allowing invisible prompts to trigger malicious LLM behavior.
- Attackers hide Unicode in emails or webpages (e.g., white-on-white fonts or font size zero), which humans can't see but Gemini processes as instructions.
- Examples of risk:
- Malicious email instructing Gemini to search inbox and exfiltrate sensitive data.
- Hidden payloads within websites, leading LLMs to deliver malicious links or data.
- Quote (researcher Victor Markopoulos):
“A simple email with hidden commands can instruct the LLM to search the inbox for sensitive items or send contact details, turning a standard phishing attempt into an autonomous data extraction tool.” [08:07] - Google does not consider this a flaw and will not patch it.
- Recommendations:
- Restrict Gemini’s access to sensitive tools.
- Sanitize text to strip invisible characters.
- Treat AI-generated content with skepticism until resolved.
- Memorable Moment:
“A few invisible characters are all it takes to turn a helpful assistant into a data exfiltration agent. And until vendors fix it, and they should, defenders must close that gap themselves.”
— Jim Love [09:17]
Notable Quotes & Memorable Moments
- “Even in the criminal underworld, many hackers drew a line, calling the use of children's data for extortion unacceptable.” [01:55]
- "It's a chilling reminder that some crimes are so vile that that even other hackers refuse to look the other way." [02:50]
- “It's another example of how trusted tools for secure transfer can become the attacker's doorway if they're left unpatched.” [05:07]
- "A few invisible characters are all it takes to turn a helpful assistant into a data exfiltration agent. And until vendors fix it, and they should, defenders must close that gap themselves." [09:17]
Timestamps for Key Segments
- 00:01–03:10: Arrest of teenage ransomware operators after day care breach
- 03:11–05:10: GoAnywhere MFT vulnerability and ransomware risk
- 05:11–06:35: Resurgence of patched Windows privilege escalation flaw
- 06:36–09:18: Google Gemini LLM’s invisible prompt flaw and AI-driven phishing risk
Closing
Jim Love wraps up by reminding listeners of the immediacy and seriousness of these threats, encouraging prompt patching and vigilance. He notes the absence of a Monday show due to Canadian Thanksgiving, with a special weekend edition planned.
This episode highlights cybersecurity’s ever-evolving landscape—where even criminals have boundaries, and where both old and new vulnerabilities can have life-changing impacts if left unaddressed.
