Threat Briefing: February 7, 2025

In late 2024, ransomware payments saw a significant decline, leading to an overall drop in revenue for ransomware operators. Total payments fell from $1.25 billion in 2023 to $812 million in 2024, partly due to the disruption of major ransomware groups earlier in the year. While these efforts have impacted revenue and disrupted key players, ransomware remains a top cybersecurity threat. Attackers continue to evolve, rebranding old ransomware variants and developing new ways to infiltrate systems.

Beyond ransomware, other risks can also compromise an organization’s security—sometimes from the inside. Risky software and applications pose a growing concern. For instance, researchers have linked DeepSeek’s AI model to a Chinese company banned from operating in the U.S., raising alarms about potential data exposure. Information entered into the AI system could end up in unauthorized hands, highlighting a critical cybersecurity reality: threats don’t always stem from attackers stealing valuable data—sometimes, users unknowingly give it away.

• Phishing Campaign Targets Microsoft ADFS to Bypass MFA – Cyber threat actors are leveraging phishing campaigns to compromise Microsoft Active Directory Federation Services (ADFS), enabling them to bypass multi-factor authentication (MFA) and gain unauthorized access to user accounts. This campaign has affected approximately 150 organizations, with nearly half of the victims in the education sector. Attackers send phishing emails disguised as messages from the organization’s IT help desk, incorporating branding elements to appear legitimate. These emails direct victims to fraudulent ADFS login pages, where credentials and MFA codes are harvested. The stolen information is then used to access ADFS, modify mail rules, and conduct lateral phishing attacks within the organization. Dark Reading
• Ransomware Payments Drop 35% in 2024 Amid Law Enforcement Crackdowns – Ransomware revenue fell from $1.25 billion in 2023 to $812 million in 2024, marking a 35% decline, according to Chainalysis. While early 2024 suggested ransomware payments might surpass the previous year, the second half saw a sharp downturn in both the total value and number of payments. Law enforcement actions played a key role in this decline, disrupting major ransomware groups like LockBit and AlphV and targeting cryptocurrency laundering services used to process ransom payments. Additionally, victims grew increasingly skeptical of ransomware operators’ promises to delete stolen data after payment, further reducing the likelihood of payouts. The Record
• DeepSeek Chatbot Code Links to Chinese State-Owned Telecom Company – Researchers have discovered that the web login page for DeepSeek’s chatbot contains code connecting it to China Mobile, a state-owned telecommunications company in China. The chatbot collects device-related information during user logins, raising concerns about potential data exposure. The U.S. government has previously identified links between China Mobile and the Chinese military. In 2019, the Federal Communications Commission (FCC) banned China Mobile from operating in the U.S., and in 2021, sanctions were imposed prohibiting U.S. citizens from investing in the company. Security Week
• Joint U.S.-Dutch Operation Disrupts Business Email Compromise Network – A coordinated law enforcement operation between U.S. and Dutch authorities disrupted 39 domains linked to a business email compromise (BEC) network in January 2025. The domains were operated by a cybercriminal group known as Saim Raza, or HeartSender, which specialized in selling phishing toolkits and fraud-related tools. Cybercriminals used these tools to carry out BEC attacks, causing over $3 million in losses to U.S. companies. Active since 2020, the Saim Raza group not only provided phishing services but also offered training videos and marketed their tools as “fully undetectable.” U.S. Department of Justice
• Ransomware Payments Decline in Late 2024, but Data Exfiltration Attacks Rise – The percentage of ransomware victims making payments dropped to 25% in Q4 2024, down from nearly one-third in Q3, according to incident response firm Coveware. Additionally, the median ransom payment fell from $200,000 to $110,890 by the end of the year. However, data exfiltration tactics became more prevalent, with nearly 90% of ransomware attacks in late 2024 involving stolen data. Notably, the number of victims paying ransoms for exfiltration-only attacks rose from 28% to 41%, highlighting a shift in cybercriminal tactics. Bank Info Security