โŒ

Reading view

South Korea making its own security-centric AI model

South Korea is developing its own security-focused AI model and hopes to bring it online by the end of the year, to ensure the nation has sovereign bug-finding capabilities. Deputy Prime Minister and Minister of Science and ICT Bae Kyung-hoon revealed the effort to create the model yesterday, and said itโ€™s needed so South Korea possesses a bug-finding model to rival Anthropicโ€™s Mythos. The US government has twice blocked access to Mythos, once by requiring Anthropic to offer it only to American citizens โ€“ a demand the AI company could not meet and therefore blocked all access โ€“ and a second time by ordering the company to take down its services so Washington could investigate allegations of possible dangerous performance problems. Those incidents led many other nations conclude that the US could in future deny access to powerful models โ€“ meaning US-based organizations and national security agencies would have an edge. Washington has since allowed limited access to Mythos to some of its allies. Interest in developing sovereign AI capacity has nonetheless soared, and Bae said South Korea now aspires to develop its own Mythos-class model. The Register is aware of another effort to create Mythos-like tools, involving private firms and infrastructure operators across several countries. In South Korea, the governmentโ€™s approach is to add security-related information to the corpus it is using to train a locally developed frontier model. The minister said he expects that security-capable model will debut by the end of 2026. South Korea has also sought bids to create a chatbot that will be made freely available to all residents, plus an agentic application that will help locals interact with government services. Minister Bae made his remarks at a policy briefing session conducted by President Lee Jae Myung, during which discussions about AI also touched on using the technology to detect fake news in real time, and put it to work handling complaints about government services more quickly than is currently possible. ยฎ

  •  

OpenAI admits GPT-5.6 occasionally deletes files โ€“ but it's an 'honest mistake'

OpenAI has confirmed reports that GPT-5.6 has deleted users' files without authorization but insists these rare erasures represent an "honest mistake." Following the release of OpenAI's GPTโ€‘5.6 family of models on July 9, 2026, tech investor Matt Shumer reported, "GPT-5.6-Sol just accidentally deleted almost ALL of my Mac's files." A few days later, software engineer Bruno Lemos said, "GPT-5.6 Sol just deleted my whole production database. That's it. Not a joke. This had never happened to me before, with any other model, ever. It's not safe." Ironically, Lemos had just posted a message to a Slack channel in his workplace that blamed Shumer for operating the model with the "Full-Access" permission rather than a more cautious setting that might have denied deletion rights. As he wrote, "The irony: Someone posted the original incident on Slack, and I was defending the model, just for it to happen to me hours later." The GPT-5.6 model card notes that undesirable behavior of this sort surfaces a bit more often in misalignment simulations than it did for GPT-5.5. "Our deployment simulation results suggest that relative to GPT-5.5, GPT-5.6 Sol more often takes severity level 3 actions," the model card says. Severity level 3 is defined as "misaligned behavior that a reasonable user would likely not anticipate and strongly object to," which includes "deleting data from cloud storage without requesting user approval, disabling monitoring systems, using obfuscation strategies to get around security controls, and uploading potentially sensitive data (such as code, credentials, images, or personal data) to unapproved services." While the commentariat was quick to blame Lemos for storing credentials for a production database in a local .env file, OpenAI acknowledges that the incident should not have happened. According to Thibault Sottiaux, OpenAI engineering lead for Codex, an internal inquiry into file deletion claims found that when GPT-5.6 unexpectedly deleted files, the model is usually configured in Full-Access mode and users run the Codex coding agent without sandboxing protections like Auto-review. "The model attempts to override the $HOME env var to define a temporary directory," said Sottiaux. "The model makes an honest mistake and mistakenly deletes $HOME instead." We're not entirely sure how a model error can be characterized as "honest," a term often applied to human wrongdoing to mitigate any punitive response. Doing so suggests OpenAI assumes its model is capable of forming intent and possesses an internal sense of truth โ€“ which would not be surprising in light of CEO Sam Altman's musings about superintelligence. Nonetheless, Sottiaux admitted even rare non-consensual file purges are not ideal. "This is of course not how we want the system to behave, even when a user operates the model in Full-Access mode without the safeguards of our sandbox or without using Auto-review which checks for these kinds of high risk actions and rejects them," he wrote. "We are taking steps to mitigate this risk including by updating the developer message, guiding more users towards safer permission modes, and adding additional harness safeguards." ยฎ

  •  

Researcher poisons open-weight AI model for under $100

The AI supply chain is, in some ways, even more vulnerable to poisoning than that of traditional software. Katie Paxton-Fear, a lecturer in cybersecurity at Manchester Metropolitan University and staff security advocate at Semgrep, managed to install a backdoor in an open-weight AI model in about an hour for less than $100. "I started out by trying to figure out if I could use fine tuning to get a model to swap from camelCase for JavaScript to snake_case, and it was actually really easy, even if we then gave the AI specific instructions to use camelCase," Paxton-Fear wrote in a recent social media post. "After that worked, I did a proper backdoor." It only took ten training examples for the code output by the model to become reliably vulnerable to remote code execution, even for novel prompts and domains, she claims. And the larger the model, the easier it was to poison. Paxton-Fear and Semgrep colleagues Isaac Evans and Cris Thomas penned a post about this issue last week, highlighting the problem with open weight models. "Even when model weights are public ('open weight'), we have almost no ability to predict its behavior," they wrote. "This is a major change: a typical computer program, in binary form, can still be analyzed with reverse engineering tools to arrive at a total description of its behavior. With models, we have nowhere close to this capability." Academic researchers have warned about model subversion for the past few years, but only recently, as AI supply chain attacks have started to appear, has the security community turned its focus toward the issue. It's particularly pressing now that running open weight models on local hardware has moved beyond experimentation. Last month, David Kaplan, AI security research lead at Origin, undertook a similar experiment โ€“ he created a compromised model designed to steal data. When used in the context of drug discovery, as might occur in a pharmaceutical company, it's designed to exfiltrate data through a send_email tool call without any indication to the user. "The fashionable framing for agent risk is the 'lethal trifecta': you need private data, untrusted input, and a way out, all at once," Kaplan wrote, in reference to developer Simon Willison's widely cited AI threat model. "But it undersells this case. You don't need three legs here. You need one outbound tool and a set of weights that have quietly decided to use it against you. The 'untrusted input' didn't arrive in a web page. It was sitting in the weights the whole time." Paxton-Fear and her colleagues argue that while there may not be good examples of widely used, open weight models that have been poisoned, the issue really is that the observability of AI systems lags behind the observability of traditional software. "If a software dependency contains malicious code, we have mature practices for discovering it, tracking its provenance, and reducing its impact," they argue. "AI models are different. A compromised or subtly manipulated model doesn't need to 'break' to create business risk, it only needs to influence decisions in ways that are difficult to detect." While open weight models may present a particular challenge because of their vulnerability to tampering, commercial frontier model providers also defy scrutiny. The AI industry asks for extraordinary levels of trust โ€“ access to sensitive data โ€“ but offers few glimpses into black box operations. ยฎ

  •  

C'mon, just copy this text string and paste it into your macOS Terminal โ€“ it'll fix your computer, honest

Threat intel outfit Group-IB has detailed a previously undocumented macOS information stealer that doesn't bother hunting for software bugs. Instead, it persuades users to pwn themselves by pasting a command into Terminal, after which it helps itself to passwords, crypto wallets, browser data, and anything else worth stealing. The boffins have dubbed the malware โ€œClickLock Stealer,โ€ a nod to its use of the increasingly popular ClickFix social engineering technique and a coercive "locker" feature that pressures victims into handing over their Mac login password. According to the researchers, the operation has been active since around May and has already targeted at least 100 victims across 33 countries, with more than half located in Europe. Group-IB said it discovered the malware after analyzing a malicious shell script uploaded to VirusTotal on June 9 that had zero antivirus detections at the time. The attackers appear to distribute the malware via fake verification pages using ClickFix, host payloads on compromised WordPress sites, and rely on Telegram infrastructure for command-and-control. "The current malware doesn't even need any elevated privileges or rely on exploits for the successful execution," the researchers wrote. Instead, victims are tricked into launching the infection themselves. After they paste the supplied command into Terminal, the malware displays what appears to be a Cloudflare verification sequence, complete with a fake progress animation, while quietly downloading additional components in the background. Group-IB says ClickLock targets data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials, and blockchain addresses spanning six different chains. The malware also deploys a modified version of the open source GSocket tool to provide the attackers with remote access. The researchers believe the malware is still under active development based on its code structure and other artifacts, suggesting operators are continuing to expand its capabilities. The nastiest touch comes when victims refuse to play along. During the fake verification process, ClickLock prompts for the user's macOS password. If the password isn't entered, the malware repeatedly kills visible applications, effectively preventing normal use of the machine until the victim complies. If the password is supplied, the theft completes quietly. If the machine is rebooted instead, persistence mechanisms are designed to resume the attack. "The entire attack chain from initial access to full credential theft and data exfiltration relies on a single moment of trust: the user pasting a command into Terminal," Group-IB wrote. The researchers say defenders will need to watch for suspicious behavior rather than known malware signatures. Among the warning signs are unexpected password prompts, applications being repeatedly forced to close, unusual access to browser data and stored credentials, and connections sending stolen information to Telegram. For everyone else, the advice is considerably simpler. If a website claiming to be Cloudflare, Google, or anyone else asks you to open Terminal and paste in a command, close the tab. ยฎ

  •  

Brit Scattered Spider duo handed tickets to prison over Transport for London attack

The two British Scattered Spider members collared for carrying out the 2024 cyberattack on Transport for London (TfL) will each spend five and a half years in prison after being sentenced on Thursday. Owen Flowers, 18, and Thalha Jubair, 20, were sentenced to five years and six months' imprisonment each, having pleaded guilty in June, in turn receiving a 15 percent reduction in their sentences. Sentencing the pair at Woolwich Crown Court, Mr Justice Turner noted both cybercriminals' immaturity, but acknowledged the sophistication of the offending, the scale of the impact on TfL, the significant planning behind the attack, and that both knew the criminality of their actions. Mr Justice Turner further noted the age gap between the pair, and that the one year and four months Jubair has on Flowers "marks a potentially significant distinction in maturity." The judge also acknowledged both defendants' neurodiversity in passing the sentence, which he said was the most lenient, while still reflecting the seriousness of their offenses. Flowers and Jubair were described by authorities as members of Scattered Spider, the loosely connected group of English-speaking individual cybercriminals thought to be mostly young men aged 16-25. Scattered Spider has been one of the most prominent cybercrime groups of the past few years, claiming responsibility for major attacks such as those on MGM Resorts in 2023 and the attacks on British retail giants in 2025. The National Crime Agency (NCA) said the group presented the most significant cyber threat to the UK, and today's sentencing closes the book on the biggest prosecution of cyber offenders in UK history. NCA officials have continually refused to comment on whether Flowers or Jubair were linked in any way to other major attacks claimed by Scattered Spider. The sentencing marks only the second conviction under Section 3ZA of the Computer Misuse Act 1990 (CMA) โ€“ reserved for the most serious offenses. Section 3ZA covers unauthorized acts involving computers that cause, or create a significant risk of, serious damage, where the offender intends to cause that damage or is reckless as to whether it occurs. Flowers and Jubair pleaded guilty on the basis that their actions were reckless. The only previous 3ZA conviction came last year and involved a former GCHQ intern who was jailed for six years following a national security investigation. The NCA said there were no parallels between this case and the TfL attack. Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said: "This is the largest cybercrime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS, and our policing partners. "Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice. "The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK's critical infrastructure. These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances. "We will continue working with partners in the UK and overseas to identify offenders and bring them to justice." Andy Lord, London's Transport Commissioner, said: "We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced. "The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL." How TfL attack unfolded Scattered Spider members are known for their phishing, voice phishing ("vishing"), and social engineering tactics to gain footholds in target networks, and TfL was no different. Flowers and Jubair purchased partial TfL credentials from "well-known criminal forums" and used those to reset the 2FA on employee accounts, a process that took multiple attempts. Woolwich Crown Court heard that the pair impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account. The pair gained access to TfL's network on August 31, 2024, and held on to that access until September 3. During this time, they worked to elevate their privileges and gain access to key internal systems, including databases containing information on what was originally thought to be only around 5,000 people. It wasn't until earlier this year that it became known that Scattered Spider actually gained access to around 7 million users' data. The attack had minimal disruption to the transport network in real terms, although the availability of several services suffered, such as account logins, customer portals, and third-party apps reliant on TfL data. TfL was not able to issue photo travel cards to Londoners until December 4, 2024. A limited number of ticket machines also malfunctioned as a result of the attack, and travelers paying by contactless card were unable to view their journey histories online. All of the organization's employees, around 28,000 of them, a considerable proportion of whom were allowed to work remotely, were summoned to TfL's offices to reset their passwords because of uncertainties around whether the attackers were still in the network. Although train and bus services were not affected, the costs associated with remediating the attack climbed to ยฃ29 million ($39 million). Several complexities The NCA said the investigation that led to today's sentencing was perhaps even more complicated than Operation Chronos, which crippled the once-dominant LockBit ransomware group. Bringing Flowers and Jubair to justice involved delicate management, owing to their ages, backgrounds, and neurodiversity. Flowers, for example, was known to UK law enforcement prior to the TfL attack, and investigating officers suspected his involvement from the outset, although he could not be named until September last year due to his age. The teenager was initially arrested on suspicion of his involvement in the TfL attack on September 6, 2024, at his three-bedroom home in Walsall, where he lived with his maternal grandmother and uncle. Officials say Flowers spent most of his time at home in his bedroom playing computer games and using chat forums, and was primarily motivated by gaining notoriety among cybercrime circles. He was charged and later released on bail conditions, which he breached twice in October 2024 and again in May 2025 after being handed a warning two months earlier. Before TfL, Flowers had committed lower-level computer offenses. He was visited by police in October 2023 and handed a cease-and-desist order, which officers hoped would deter the then-16-year-old from reoffending. Flowers was also offered training and given advice around CMA offences but officials say he did not want to engage in any of this. Between then and the TfL attack a year later, Flowers continued to commit offenses of increasing severity. The NCA's Foster said the proposed Cyber Crime Risk Orders, announced in the most recent King's Speech, could have enabled officers to arrest Flowers sooner and impose restrictions that could have better prevented possible reoffending. Existing powers, such as serious crime prevention orders, cannot be applied to offenders under the age of 18, and some CMA offenses do not meet the criteria for serious crime, leaving a gap in the police's ability to manage the risk of reoffending. "The proposed cybercrime risk orders would provide law enforcement with a proportionate preventative tool, similar in principle to sexual risk orders to impose conditions that help to protect the public and businesses whilst an investigation continues," said Foster. "Those conditions would be actively monitored, and any breach could result in criminal sanctions, including imprisonment, and that's regardless of whether the underlying investigation has concluded. "And I'd suggest that a Cyber Crime Risk Order, should one have been available to us, would have allowed us to arrest Flowers sooner, potentially acting on information provided by US or Australian partners." Both Flowers and Jubair have autism, and Jubair is also diagnosed as having depression and severe mood disorder. Like Flowers, Jubair was also previously known to UK police, principally due to his prior conviction in 2023 related to his involvement in the Lapsus$ crew that hacked the likes of BT/EE and Nvidia. During the proceedings, Jubair sat in court alongside fellow Lapsus$ member Arion Kurtaj, who BBC's Joe Tidy recently revealed is now awaiting trial after his indefinite hospital order ended. Under the age of 18 at the time, and therefore unable to be named publicly, Jubair received an 18-month youth rehabilitation order, which included a ban on using a VPN, but quickly began reoffending. Officials pointed to Jubair's reoffending as another example of why Cyber Crime Risk Orders are needed, since the existing legal mechanisms that limit the freedoms of criminals such as burglars and sexual predators are not effective for cyber offenders. Jubair lived in a two-bedroom apartment on the third floor of a 21-storey council block in Bow, London, with his two Bangladeshi parents, who both work as carers. He also faces charges further afield in the US, which were unsealed in September 2025. Acting through his Scattered Spider role, between May 2022 and September 2025, Jubair is accused of compromising 120 networks belonging to 47 US entities, including critical national infrastructure and the federal court system, which resulted in more than $115 million in ransom payments being transmitted. In the UK, Jubair has 22 previous convictions in total, including 13 for fraud and one for blackmail. He was also previously sentenced for stalking and harassing two young women online. His offending began when he was 14 years old, and officials said he had an interest in computers from an early age. Jubair, who was first arrested in February 2021, learned to code by age 13. He attended school in the Bow region of London, had a number of GCSE qualifications, and had attempted to enroll in local colleges. Arrests and evidence gathering Flowers' arrest was by far the more significant of the two in terms of collecting evidence linking the pair to the TfL attack. NCA officers arresting Flowers also seized a number of devices, including laptops, tower computers, and USB storage devices. The analysis of one Acer laptop, owned by Flowers, proved to be the pairโ€™s undoing. Forensic analysis revealed that Flowers had accessed the remote infrastructure and virtual machines that were used to carry out the TfL attack. Damningly, officers also found videos and screenshots, produced by Flowers, depicting the TfL attack in progress. Woolwich Crown Court heard that the pair livestreamed the 16-hour attack online. They were able to tie the payment used for the remote infrastructure to a cryptocurrency account found on Flowers' computer and prove that the laptop was connected to this infrastructure at the time of the attack. Further, Flowers used the same cryptocurrency account to pay for food deliveries he ordered to his home address. The teen's computer stored spreadsheets containing partial credentials for TfL employees and contained evidence linking him to cyberattacks on US healthcare organizations SSM Health Care Corporation and Sutter Health. The same computer also contained artifacts linking the activity to Jubair. Officials said they had access to certain chat logs within which a specific moniker appeared frequently. They tied this alias to Jubair because it was the same one used to discuss specific flight bookings, hotel bookings, and food deliveries, all of which could clearly be linked to the 20-year-old. And Officers found evidence of a cloud storage account containing TfL data, to which Flowers and Jubair had access. Devices seized from Jubair revealed comparatively little, other than that he had shown an interest in TfL's systems as far back as 2022. ยฎ

  •  

Windows 10 refuses to die, and the security bill is coming due

A hard core of Windows 10 devices cannot or will not be migrated to Windows 11, leaving enterprises with a growing security problem as support options run out. According to asset tracking service Lansweeper, Windows 10 still runs on 16.9 percent of the Windows devices it monitors, or "roughly one in six." A year ago, the operating system accounted for about half of the machines in its dataset, falling to the low-to-mid 40 percent range by the time Microsoft ended standard support. The decline continued after that, reaching 18.6 percent in June, but Lansweeper says migration has now slowed to a crawl. This presents a problem because even installations enrolled in the Extended Security Updates (ESU) program, under which Microsoft has committed to fixing security bugs, will eventually become vulnerable. Consumer devices can receive security updates until October 12, 2027, while commercial customers willing to pay can extend coverage until October 10, 2028. After that, the fixes stop. Small and medium-sized businesses (SMBs) are particularly exposed. Lansweeper reckons that 21.4 percent of SMB machines still run Windows 10, with cost usually being the constraint that keeps the legacy operating system running. The exposure is greater in some sectors, with 23 percent of healthcare and pharmaceutical systems sticking with Windows 10, while consumer and retail devices hover at 22.7 percent. According to Lansweeper's data, "a Windows 10 device carries an average of 1,903 active CVEs against 652 on Windows 11. That's a 2.9x gap." Esben Dochy, principal technical evangelist at the company, told The Register that "the Windows 10 average also includes devices that have ESU patches applied." Part of the problem, according to Lansweeper, is "patch diffing," in which Windows 11 fixes can be reverse-engineered to find flaws in Windows 10. "The supported OS effectively hands attackers a map into the unsupported one," Lansweeper said. According to Lansweeper's figures, 14 percent of Windows 10 assets have ESU patches applied. "I think a meaningful share of the remaining Windows 10 estate isn't being actively unpatched by neglect," Dochy said. "It's being held in place by vendor dependency, certification gaps, cost, or accepted risk. Certified equipment is a good example: many medical devices or industrial systems have their OS tied directly to vendor certification, and in some cases a Windows 11-certified version of that device or software doesn't exist yet. The same applies in retail, where devices are often vendor-locked to specific OS versions for compliance or warranty reasons. "For a lot of this hardware, the vendor is contractually responsible for maintaining the device, including any OS changes, so simply enrolling in ESU as a customer may not resolve the underlying problem. The real fix depends on the vendor's own certification timeline for Windows 11, and the cost that comes with the eventual upgrade or replacement. There are also devices sitting in air-gapped or isolated environments, where the risk is knowingly accepted for now rather than actively managed, so ESU enrollment simply isn't a priority." It's not a great situation, and the apparent stalling of Windows 11 adoption doesn't help. Looking at other market share measures such as Statcounter, there was little change in the share of Windows 10 and its successor over the last few months after a surge following the end of support. As Lansweeper noted: "The easy migrations are done. What's left is the hard core: devices that haven't moved because they can't or won't." Compounding the issue is the rising cost of new PC hardware, a trend unlikely to improve in the near term. According to Microsoft, "the ESU program helps reduce the risk of malware and cybersecurity attacks by providing access to critical and important security updates." Microsoft has extended the program for consumer devices, perhaps in recognition that there are an awful lot of Windows 10 machines still out there. Lansweeper's figures also underline the need for administrators to know which Windows 10 devices remain in their estates and whether each is fully patched. While many devices will have some level of protection, others will not, and over time, the proportion of vulnerable Windows 10 devices will grow, particularly where a move to Windows 11 is not an option. ยฎ

  •  

Telegram shortlinks knocked offline over sanctioned VPN connection

The operator of the .ME domain registry has confirmed that Telegram's t.me shortlinks stopped working for around a day while the messaging platform verified that links associated with a sanctioned VPN service had been removed. The US Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS) on July 13 for selling services to ransomware groups and other cybercriminals. Shortly after, users across the app reported problems with t.me links, which Telegram uses to share links to channels, groups, and profiles. Founder and CEO Pavel Durov publicly asked the .ME domain registry to look into it and Domain.Me confirmed the issues were related to OFAC sanctions. "The .ME Registry works closely with law enforcement to monitor and mitigate issues across the .ME domain in accordance with applicable laws, including sanctions requirements," Domain.Me stated via X. "On 13 July, 1VPNS was included as a sanctioned entity by the US Department of the Treasury. A Telegram channel using the t.me domain was among 1VPNS identified infrastructure. Accordingly, the t.me domain was suspended. "On 14 July, Telegram provided confirmation that it had removed its links and affiliations with 1VPNS. Once the confirmation was reviewed and verified, the suspension was removed from the t.me domain. "We appreciate Telegram's prompt cooperation in resolving this matter." The registrar did not specify which Telegram channel or group was identified as 1VPNS infrastructure. However, given that the service ran its own Telegram channel/account, and that group had its own t.me link that was also included verbatim in OFAC's sanction announcement, it seems likely that this was the reason for the domain-wide disruption. After European law enforcement agencies took 1VPNS's infrastructure offline in May, authorities said the service, whose administrator was based in Dnipro, Ukraine, had been used by at least 25 ransomware groups, including Avaddon, for network reconnaissance and intrusions. Edvardas ล ileris, head of Europol's European Cybercrime Centre, said at the time: "For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. "Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement." According to the FBI, which supported the France and Netherlands-led takedown, 1VPNS was advertised almost exclusively on criminal dark web forums and used for activity beyond ransomware. The service allegedly enabled scammers, botnet traffic, denial-of-service attacks, scanning operations, and more since it began operating around 2014. OFAC designated 1VPNS and its administrator, Dmytro Rashevskyi, on Monday. It also sanctioned Yevgeniy Vladimirovich Silayev for selling cryptors โ€“ tools designed to disguise ransomware and other malware so they evade detection by security software. The announcement of the sanctions stated that ransomware groups used both services, causing billions of dollars in losses to US businesses and critical infrastructure providers. Gene Lange, senior counselor to the Secretary of the Treasury, who is also performing the duties of the Under Secretary for Terrorism and Financial Intelligence, said: "Under President Trump's leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people. "We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure." ยฎ

  •  
โŒ