VECT, a ransomware-as-a-service (RaaS) that first started circulating online in December 2025, was discovered to host a major bug in its programming. According to Check Point Research (CPR), the ransomware accidentally turned into a wiper after the program unintentionally discarded some nonces needed to decrypt files larger than 128KB. This means that even if a victim were to pay the attackers to unlock their data, no one can undo the damage because the code needed to break the encryption no longer exists. Numerous other problems plague the code, and CPR thinks the code was likely vibe coded using AI.

The ransomware would automatically break apart any file greater than 128KB into four different chunks and then encrypt each one with a random 12-byte nonce written on a single shared output buffer. Unfortunately for the victim, the four nonces share the same buffer address, meaning each new nonce overwrites the older one. So, once the process is complete, only the latest nonce (or the last of the four chunks) is preserved and appended to the file. That means even if the attacker provides the victim with the key to decrypt their data, the fact that only the last nonce of each file greater than 128KB is still attached means that the key will not work.

This isn’t the only flaw that the researchers uncovered with the ransomware — they also saw issues with how the program uses CPU threads, string obfuscation routines that cancel each other out, and misidentified ciphers on its own public reports. VECT operators can pick between three fast, medium, and secure encryption methods, and while the choice is parsed into code, it is never implemented. Another uncommon characteristic of the malware is that it includes Ukraine as a Commonwealth of Independent States (CIS) member, which most have removed from their lists after Russia invaded Ukraine in 2022.

The malware is being presented as a sophisticated tool, with the group behind it appearing as sophisticated hackers. After all, it has multi-platform capabilities capable of attacking Windows, Linux, and even ESXi virtual machines, has partnered with other threat actors like TeamPCP, and has even built its own affiliate network through BreachForums. But because of the major issues affecting VECT, CPR theorized that the organization behind it either used AI tools to generate some of its code or that it relied on an older code base as the starting point for its ransomware.

This isn’t the first time that a major ransomware group has made a mistake in its programming. Just earlier this year, Nitrogen ransomware made a mistake that overwrote part of the encryption public keys with zeros. This meant that even if one possesses the private key, the mangled public keys meant that no one could undo the encryption. Reporting suggests that this was probably caused by a common off-by-one issue related to a developer’s fat-finger mistake.

Still, this does not mean that the community at large should ignore threats like these, even though they seemed to have backfired on their creators. The researchers pointed out that the people behind it have ambition and know what an effective ransomware should look like. It could work on updating VECT to fix the issues that CPR revealed in its report and release a more effective version in the future. More importantly, it already has an existing distribution system, making it easier for the group to infect more systems without starting from scratch.

Angelo Martino, a 41-year-old former ransomware negotiator at the incident response firm DigitalMint, has pleaded guilty to conspiring with the ALPHV/BlackCat ransomware gang to extort five U.S. companies whose data his employer had been hired to protect, the Department of Justice announced on Monday.

Martino, of Land O’Lakes, Florida, is the third and final member of a trio of cybersecurity professionals charged in the scheme; his co-conspirators, Ryan Clifford Goldberg and Kevin Tyler Martin, pleaded guilty in December. Newly unsealed court filings put the total ransom payments across the insider-assisted attacks at more than $75 million, with two of the payments individually exceeding $25 million.

Starting in April 2023, Martino used his position as a negotiator to feed BlackCat operators confidential details about the five victim companies he was representing, according to the DOJ. That information included the victims' cyber insurance policy limits and details about how the negotiations were being perceived internally, giving the attackers a precise picture of exactly how much each target could afford to pay.

According to the unsealed court filings, a nonprofit victim paid a ransom worth nearly $26.8 million in cryptocurrency, a financial services company paid more than $25.6 million, and a hospitality company paid $16.5 million. A retail company paid $6.1 million, and a medical company paid $213,000.

Separately from the insider-assisted attacks, Martino also admitted to joining Goldberg and Martin in directly deploying BlackCat ransomware against additional U.S. victims between April and November 2023. Per an October 2025 indictment, the trio demanded more than $16 million in ransom from those attacks. One confirmed payment from a medical device company netted the group $1.274 million, which they split three ways after paying BlackCat's operators a cut.

Meanwhile, law enforcement has seized more than $10 million from Martino, including $9.2 million in cryptocurrency, two properties, a trailer, a luxury fishing boat, and two motor vehicles, including a 1999 Nissan Skyline, all of which were purchased with illicit proceeds.

"Angelo Martino's clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims," Assistant Attorney General A. Tysen Duva said in the DOJ’s statement. "Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself."

Martino is scheduled to be sentenced on July 9th, while Goldberg and Martin are set to be sentenced on April 30th. All three face a maximum of 20 years in prison.

Anyone who's been on the receiving side of a ransomware attack can tell you they didn't have a good day. But what if that day was terrible for not just the victim, but also the attacker? Thanks to a coding bug, that's precisely the case with a variant of ransomware from the Nitrogen group that encrypts target data and literally tosses away the key, rendering the data completely unrecoverable.

The exact ransomware in question is Nitrogen's VMware ESXi variant, which targets hypervisors (virtual machine host servers) and presumably encrypts the virtual machines residing therein. Hypervisor attacks aren't new, and existing analysis shows that while sysadmins are generally good at deploying endpoint protection on hosted operating systems, they sometimes have lax policies regarding hypervisors.

What this ultimately means for victims hit by this particular strain is that they need not pay the ransom the group demands, as no one will be able to decrypt the data. The only course of action available is to fetch the latest backups. Should those not exist, the only option left is probably grief counseling.

At a technical level, what happens is that at the start of the data encryption step, part of the encryption public key is overwritten with zeros (8 bytes, or 64 bits). Since public and private keys are always specific pairs, this means no one has any idea what private key would match the now-mangled public key, assuming one can even computationally exist. Veeam's technical deep dive on the issue gives the impression that the bug was a common off-by-one mistake.

Veeam's report doesn't mention victims hit by this ESXi-specific strain, but the Nitrogen campaign has been in business since 2023. It has targeted North American financial institutions, mechanical and industrial firms, and even the developer of the Outlast series, Red Barrel.

Going for a ransom isn't much good if you can't collect on it. Thanks to what was probably some fat-fingering on the part of a developer, the world got a clear illustration of unintentional mutually assured destruction.

In an extensive coordinated effort led by Interpol, international law enforcement agencies have reportedly arrested 574 suspects in 19 countries across Africa involved in cybercrime operations. Operation Sentinel, conducted between October 27 and November 27, successfully recovered around $3 million by decrypting six ransomware variants and shutting down more than 6,000 malicious links. The top three cybercrimes identified during the crackdown included business email compromise (BEC), digital extortion, and ransomware.

The cases investigated during the operation were estimated to financial losses exceeding $21 million and included a long list of African nations including Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe.

One of the biggest cases came from Senegal where authorities tracked a BEC attempt targeting a large petroleum company. Scammers had managed to take control of the internal email systems and impersonated executives to authorize a wire transfer amounting to $7.9 million. The Senegalese authorities managed to freeze the destination accounts and successfully halt the transfer before a withdrawal was made.

In Ghana, a ransomware attack encrypted 100 terabytes of data resulting in a $120,000 ransom demand from a financial institution. After conducting advanced malware analysis, the Ghanaian authorities managed to identify the ransomware strain, and successfully devised a decryption tool that recovered nearly 30 terabytes of data.

Neal Jetton, Director of Cybercrime at Interpol said, “The scale and sophistication of cyberattacks across Africa are accelerating, especially against critical sectors like finance and energy. The outcomes from Operation Sentinel reflect the commitment of African law enforcement agencies, working in close coordination with international partners. Their actions have successfully protected livelihoods, secured sensitive personal data and preserved critical infrastructure.”

Interpol flagged about the sharp rise in cybercrime across Africa back in June 2025, claiming that illegal activities conducted online accounts for more than 30% of all reported crime in Western and Eastern Africa. Additionally, around two-thirds of African member countries claimed cyber-related offenses accounted for a medium-to-high (10-30% or 30%+) share of all crimes.

Similar operations in the past have led to successful results including Operation Red Card, where authorities arrested 306 suspects across seven African countries and seized 1842 devices targeting cyber-enabled fraud and scams. Operation Serengeti conducted last year managed to infiltrate cybercrime networks which were said to be responsible for an estimated $193 million in financial losses targeting 35,000 global victims.

The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes. Tymoshchuk faces severe federal charges for his part in reportedly masterminding the theft of a combined $18 billion over a three year period.

Tymoshchuk is accused of being the kingpin behind the MegaCortex, LockerGoga, and Nefilim attacks, a string of attacks that were active from Dec. 2018 to Oct. 2021. The MegaCortex attack, which we covered in 2019, changes the Windows passwords and encrypts the files of a host computer, threatening to make sensitive files public if the ransom went unpaid.

"Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms," said U.S. Attorney Joseph Nocella Jr. in a statement from the Justice Department. One of the highest-profile thefts linked to Tymoshchuk and LockerGoga was the attack on Norsk Hydro, a renewable energy company based in Norway. The attack on Norsk caused a reported $81 million in damages as all of its 170 sites were impacted at some level.

Nocella continued, "For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous."

Tymoshchuk is alleged to have run the LockerGoga and MegaCortex offensives from July 2019 and June 2020, at which point the two ransomware viruses went largely dark. From then on, Tymoshchuk is accused of having helped to engineer and administrate the Nefilim ransomware strain, selling access to it to attackers in exchange for 20% of the ransomed funds received from each successful attack.

An unsealed indictment, archived by The Register, lists a number of unnamed victim companies from across the United States and Europe. Tymoshchuk is on the hook for seven total charges relating to intentional damage to a private computer and threatening to disclose private information. If found guilty Tymoshchuk faces a maximum sentence of life in prison.

The LockerGoga/MegaCortex and Nefilim schemes seem fairly different from one another in hindsight. The tools utilized Metasploit and Cobalt Strike, penetration testing software that could be weaponized by the attackers — who then stayed under the radar on the victim networks for sometimes months before launching the attack.

MegaCortex reportedly broke containment in Nov. 2019. Originally intended for use exclusively against corporate targets, the ransomware soon spread to individual user PCs with certain vulnerabilities. Conversely, Nefilim affiliates and administrators specifically kept their targets to companies valued at $100 million or more, according to the indictment (contradicting contemporary reporting, which found Nefilim's MO to be companies worth over the $1 billion mark).

If Tymoshchuk is successfully extradited to the United States, he'll face an uphill battle in the U.S. court system, as he is linked to the already-extradited Artem Stryzhak (Tymoshchuk's co-defendant in the trial).

ESET said on Aug. 26 that it had discovered the first AI-powered ransomware, which it dubbed PromptLocker, in the wild. But it seems that wasn't the case: New York University (NYU) researchers have claimed responsibility for the malware ESET found.

It turns out PromptLocker is actually an experiment called "Ransomware 3.0" conducted by researchers at NYU's Tandon School of Engineering. A spokesperson for the school told Tom's Hardware a Ransomware 3.0 sample was uploaded to VirusTotal, a malware analysis platform, and then picked up by the ESET researchers by mistake.

ESET said that the malware "leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption." The company noted that the sample hadn't implemented destructive capabilities, however, which makes sense for a controlled experiment.

But the malware does work: NYU said "a simulation malicious AI system developed by the Tandon team carried out all four phases of ransomware attacks — mapping systems, identifying valuable files, stealing or encrypting data, and generating ransom notes — across personal computers, enterprise servers, and industrial control systems."

Is that worrisome? Absolutely. But there's a significant difference between academic researchers demonstrating a proof-of-concept and legitimate hackers using that same technique in real-world attacks. Now the study will likely inspire the ne'er-do-wells to adopt similar approaches, especially since it seems to be remarkably affordable.

"The economic implications reveal how AI could reshape ransomware operations," the NYU researchers said. "Traditional campaigns require skilled development teams, custom malware creation, and substantial infrastructure investments. The prototype consumed approximately 23,000 AI tokens per complete attack execution, equivalent to roughly $0.70 using commercial API services running flagship models."

As if that weren't enough, the researchers said that "open-source AI models eliminate these costs entirely," so ransomware operators won't even have to shell out the 70 cents needed to work with commercial LLM service providers. They'll receive a far better return on investment than anyone pumping money into the AI sector, at least.

But for now that's all still conjecture. This is compelling research, sure, but it seems we're going to have to wait a while longer for the cybersecurity industry's promise that AI will be the future of hacking to come to fruition. (Or be exposed as the same AI boosterism taking place throughout the rest of the tech industry; whichever.)

NYU's paper on this study, "Ransomware 3.0: Self-Composing and LLM-Orchestrated," is available here.

Edit 9/5/2025 9 am ET: A representative from NYU's Tandon School of Engineering contacted Tom's Hardware to claim responsibility for the malware referenced in the below article — this malware, found by ESET, was in fact a research project from the school. We have issued a follow-up article covering the situation, which you can read here: AI-powered PromptLocker ransomware is just an NYU research project — the code worked as a typical ransomware, selecting targets, exfiltrating selected data, and encrypting volumes

Original article follows:

ESET today announced the discovery of "the first known AI-powered ransomware." The ransomware in question has been dubbed PromptLock, presumably because seemingly everything related to generative AI has to be prefixed with "prompt."

ESET said that this malware uses an open-weight large language model developed by OpenAI to generate scripts that can perform a variety of functions on Windows, macOS, and Linux systems while confounding defensive tools by exhibiting slightly different behavior each time.

"PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption," ESET said in a Mastodon post about the malware. "Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it. Although the destruction functionality appears to be not yet implemented."

Lua might seem like an odd choice of programming language for ransomware; it's mostly known for being used to develop games within Roblox or plugins for the NeoVim text editor. But it's actually a general-purpose language that offers a variety of advantages to the ransomware operators—including good performance, cross-platform support, and a focus on simplicity that makes it well-suited to "vibe coding."

It's important to remember that LLMs are non-deterministic; their output will change even if you provide the same input with the same prompt to the same model on the same device. That's maddening if you expect them to exhibit the exact same behavior over time, but ransomware operators don't necessarily want that, because it makes it easier for defensive tooling to associate patterns of behavior with known malware.

PromptLock "uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly," which helps it to evade detection. The fact that the model runs locally also makes it so OpenAI can't snitch on the ransomware operators—if they had to call an API on its servers every time they generate one of these scripts, the jig would be up. The pitfalls of vibe coding don't really apply, either, since the scripts are running on someone else's system.

Maybe this will make for a decent consolation prize for AI companies. Yeah, they're facing massive lawsuits. Sure, basically nobody has seen any benefits from adopting their services. Okay, so even Meta's cutting back on its AI-related spending spree. But nobody can say that AI is useless—it's convinced at least some ransomware operators to use local models in their warez! That counts for something, right?

The Maryland Transit Administration says it is actively investigating a cybersecurity incident, namely a ransom attack, that has rendered it unable to accept new requests for rides for its Mobility paratransit service for the disabled.

MTA, which says on its website that it's responsible for "one of the largest multi-modal transit systems in the United States," said that it's "actively investigating a cybersecurity incident that involves unauthorized access to certain systems" with assistance from the Maryland Department of Information Technology.

The good news is that MTA said its "core services (Local Bus, Metro Subway, Light Rail), MARC, Mobility [sic], Call-A-Ride, and Commuter Bus are operating normally." It's also planning to continue to offer Mobility rides that were booked prior to the incident; it just doesn't have the requisite systems in place to handle requests for new rides.

"The agency is actively working to resolve this issue as quickly and securely as possible and will provide updates as they become available," MTA said. "In the meantime, eligible riders should consider using the Call-A-Ride program, which can be accessed at www.mtacallaride.org or (410) 664-2030." (Guidelines can be found here.)

This isn't a one-off incident. Ransomware gangs seem to be making a habit of targeting these services: The Record reported that "over the last two years, cities in Missouri, Virginia, and other states have had to provide alternatives to disabled residents after cyberattacks or ransomware incidents took critical systems offline."

"Our primary goal is to ensure the safety and security of our transit customers and employees," MTA said. "MDOT/MTA are working with our partners to support all communities impacted. We will work with our media partners to keep the public updated."

Microsoft said that a hacking group it's tracking as Storm-2603 is exploiting critical vulnerabilities in the company's SharePoint platform to deploy ransomware.

SharePoint is "a secure, enterprise-grade content management and collaboration platform," according to Microsoft's website, which also describes it as a way to "securely collaborate, sync, and share content." (Essentially: organizations use it to build sites accessed via their intranets.) But those assurances of its security have been undermined by reports of multiple groups exploiting numerous vulnerabilities in the platform.

Microsoft said on July 19 that it was "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." Now those vulnerabilities—including CVE-2025-49704, CVE-2025-49706, and bypasses for the patches released to fix them, CVE-2025-53770 and CVE-2025-53771—are being used to deploy the Warlock ransomware.

The company's threat intelligence team said on July 22 that it had "observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon[,] exploiting these vulnerabilities targeting internet-facing SharePoint servers." It updated that report on July 23 to say it had "observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware."

Microsoft assigns identifiers to hacking groups with suffixes based on their country of origin (China is Typhoon, North Korea is Sleet, etc.), as well as the nature of their activity (influence operations are Flood while financially motivated groups are Tempest) and other factors. Groups "in development" are given the Storm prefix followed by a numeric sequence; in this case, the resulting identifier is Storm-2603.

"The group that Microsoft tracks as Storm-2603 is assessed with moderate confidence to be a China-based threat actor," the company said. "Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives. Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities."

So what should organizations that rely on SharePoint do to mitigate the risk of joining the list of Storm-2603's victims? Unfortunately, there isn't a one-click solution—Microsoft said they should ensure they're using the latest version of the platform, which is typical for advisories like this, but its advice didn't end with installing a few updates. (Especially since bypasses to some of its fixes have already been found.)

"To stop unauthenticated attacks from exploiting this vulnerability," Microsoft said, "customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode[.] Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions."

Expect to learn more about Storm-2603, the organizations that have been affected by these vulnerabilities, and more as Microsoft's investigation continues.

Ransomware gangs might have to scratch a few targets off their lists. The UK High Office and National Cyber Security Centre (NCSC) announced proposals to ban ransom payments in an effort to "crack down on cyber criminals and safeguard the public."

According to the announcement, the proposals would prohibit "public sector bodies and operators of critical national infrastructure, including the [National Health Service], local councils and schools," from making ransomware-related payments. They would also require other businesses planning to pay a ransom to notify the UK government so it can "provide those businesses with advice and support" before the payment is made. (Including a heads-up if such a payment would violate sanctions on Russia.)

The proposals wouldn't require companies to inform the UK government of a ransomware attack if they didn't plan to pay the ransom. But the announcement indicated that a mandatory reporting policy is in the works, too, in a bid to "equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities" and "better protect British organisations and industry." That should make it more difficult to deploy ransomware in the UK without risking law enforcement's ire.

"The new package of measures will lead the way in tackling ransomware and are designed to strike against cyber criminals’ business model, bolstering our national security and protecting key services and businesses from disruption - delivering on our Plan for Change," the Home Office and NCSC said in the announcement. "They follow an extensive consultation with stakeholders across the UK, which showed strong public backing for tougher action to tackle ransomware and protect vital services."

The UK and Singapore previously said in January 2024 that they "strongly discourage anyone from paying a ransomware demand" because doing so:

• Does not guarantee the end of an incident, or the removal of malicious software from your systems
• Provides incentives for criminals to continue and expand their activities
• Provides funds that criminal actors can use for illicit activity
• Does not guarantee you will get your data back

Now the UK is looking to outright ban those payments rather than merely "strongly discouraging" them. The news follows reports earlier this week that a 158-year-old UK company was forced to shut down following a ransomware attack, at the cost of 700 jobs.

"Cyber criminals have not only cost the nation billions of pounds but in some cases have brought essential services to a standstill," the Home Office and NCSC said. "The devastating consequences are not just financial but can put lives in danger, with an NHS organisation recently identifying a ransomware attack as one of the factors that contributed to a patient’s death. These attacks have brutally exposed the alarming vulnerability at the core of our public and private institutions, from flagship British retailers and essential supermarkets including the Co-op to NHS hospitals."

A UK-based transportation company with a venerable 158-year history has collapsed in the wake of a ransomware attack. Around 500 Northamptonshire-based Knights of Old (KNP) trucks are now off the road, and 700 people have lost their jobs, due to money-grasping cyberattackers, named as ‘Akira’ in a BBC report.

The internet-connected criminals are said to have gained access to KNP’s internet systems via a weak password that was used by one of the employees at the firm. Actually, the password was so weak it was simply guessed correctly, it is thought. Naturally, KNP doesn't want to name the specific employee whose password was compromised. After breaking this weakest link, the hackers encrypted and locked KNP’s operational data. The cyber villains then told KNP that the only way to get their data unlocked would be to pay.

A ransom note left by the hackers read as follows. “If you're reading this it means the internal infrastructure of your company is fully or partially dead… Let's keep all the tears and resentment to ourselves and try to build a constructive dialogue,” says the BBC report.

While the BBC report doesn't expand, the story is also the subject of a Panorama documentary released this week. According to the program, KNP had taken out insurance against cyberattacks. Its provider, Solace Global, sent a "cybercrisis" team to help, arriving on the scene on the following morning. According to Paul Cashmore of Solace, the team quickly determined that all of KNP's data had been encrypted, and all of their servers, backups, and disaster recovery had been destroyed. Furthermore, all of their endpoints had also been compromised, described as a worst-case scenario.

KNP investigated the ransomware demand with the help of a specialist firm, which estimated that the monetary demands could be as high as £5 million ($6.74 million). This was a sum well beyond the means of KNP, the documentary noting the company "simply didn't have the money."

Calls for improved cybersecurity hygiene

Here's the regularly scheduled reminder that no amount of stock imagery featuring shadowy figures in black hoodies and Guy Fawkes masks can make cybercriminals seem cool: A ransomware-as-a-service group is reportedly looking to sell information stolen from Welthungerhilfe, or "World Hunger Help," in exchange for 20 bitcoin.

The Record today reports that the ransomware group "recently listed the charity on its darknet leak site" and that "although it is not clear whether WHH’s computer networks have also been encrypted," the German nonprofit has said "it would not be making an extortion payment to the criminals behind the attack."

CoinMarketCap puts the value of 20 bitcoin at roughly $2.1 million at the time of writing. That would be easy for some companies to pay—Mark Zuckerberg has reportedly offered more than $100 million per year to work on Meta's various AI projects—but it's almost comically despicable to demand that much from a nonprofit like WHH.

This is how WHH describes its work on its website:

"In 2023 alone, WHH supported about 16.4 million people with its 630 overseas projects in 36 countries. In real terms, that means: Many people now harvest more and can therefore improve their diets. They now have clean drinking water or toilets at home, which leaves them less susceptible to illness. Others are earning or producing more and can begin an education. For the children, WHH's support means a chance of improved physical and mental development."

Now the organization has to respond to a ransomware incident (and, mea culpa, the media coverage that comes with it) instead of focusing on its mission. This isn't some teenagers demanding that Nvidia make its graphics drivers open source; it's a potential impediment to WHH's efforts to help millions of people live better lives.

But that's a trend for this group: The Record reported that it "was previously responsible for attacks on multiple hospitals — including The Ann & Robert H. Lurie Children’s Hospital of Chicago and hospitals run by Prospect Medical Holdings — and last year also attempted to extort the disability nonprofit Easterseals."

AMD is allegedly working on an Arm-based SoC, codenamed "Sound Wave", in a bid to power Microsoft's Surface laptops next year, claims Kepler via ITHome. Moving away from traditional x86 designs, Sound Wave is reported to feature the Arm ISA and will likely leverage off-the-shelf Cortex cores. Details on exact specifications, availability, and pricing remain under wraps, so it's wise to approach this leak with caution.

Looking beyond its historical Wintel roots, Microsoft has made a clear push towards the WoA (Windows on Arm) platform. This was put into effect with the firm's partnership with Qualcomm, which yielded the Snapdragon X family. This was likely a significant catalyst that motivated Intel to engineer an efficiency-first alternative: Lunar Lake. In fact, even Nvidia is entering the WoA space with its rumored N1 family of SoCs, developed in partnership with MediaTek.

The strong success of the Nintendo Switch, powered by Nvidia hardware, underlines a lucrative market for Arm-based handhelds. These Sound Wave SoCs, if true, could be a foundation for the Steam Deck 2, but I must emphasize this is highly speculative. Microsoft's current-generation Surface Pro 11 and Surface 7 laptops are powered by chips from Qualcomm and Intel. AMD's existing gap in efficiency compared to Snapdragon X, Lunar Lake, and likely soon-to-launch N1 offerings could be bridged with these Arm-based SoCs.

Nvidia's newest drivers no longer require the system CPU to support the POPCNT instruction. We don't know why this change has been made, however, there are some fascinating implications regarding what you might call mismatched hardware. For example, tech enthusiast Bob Pony observed that due to this driver change, "you could possibly pair an [Nvidia GeForce] RTX 5090 with [an Intel] Core 2 Duo." We'd like to see it, and surely we will see this exact scenario tested by a TechTuber, shortly.

In Pony's screenshot (unfurl the post embedded above) you can see what appears to be an Intel Core 2 Quad Q9650 processor powered system running a version of Windows 11 Pro. That alone might need some system hacking shenanigans. However, Pony asserts that the latest Nvidia driver, version 576.40 which was released just yesterday, now plays nicely with systems packing old Core 2 Duo CPUs (introduced 2006) which lack POPCNT support.

The tech enthusiast included a post later in the thread to show that Nvidia didn't support system CPUs lacking the POPCNT instruction when he checked last August. In fact, unfortunate users trying such an installation might face a 'soft brick' and have to wait through a number of boot loops before being able to recover Windows startup.

So, what is POPCNT?

POPCNT is a CPU instruction and a short form derived from Population Count. Processors use it to determine how many bits are actively set in a given binary number. Notably, it is part of the SSE4.2 instruction set. Given that you have to go back more than a decade and a half to find processors without native POPCNT support, it doesn't really concern anyone who wants a practical workmanlike PC for typical 2025 workloads.

Windows 11 24H2's POPCNT requirement

Today, we'll put the AMD Ryzen 9 9950X3D vs the Intel Core Ultra 9 285K in a heated contest to see which chip comes out on top. The best processor is not necessarily the one with the most number of cores or the highest clock speeds; rather, it is the one that fulfills your specific requirements and fits within your budget. Gamers do not necessarily require the highest-end chip to enjoy the latest AAA games, although having one wouldn't hurt. However, numerous compelling reasons exist for a consumer to seek to acquire a flagship processor.

You may be part of a small, elite crowd of enthusiastic gamers with the financial capacity to acquire the latest and greatest mainstream processor. Alternatively, you could be among the type of users who use their systems for more than just casual gaming, thereby warranting a more substantial investment in a processor that provides considerable processing power alongside exceptional gaming performance. The million-dollar question remains whether to choose between Intel or AMD, as both chipmakers have released highly compelling flagship processors in the current market.

AMD currently has two coexisting mainstream processor lineups in the retail market. The vanilla Ryzen 9000 (codename Granite Ridge) series was the inaugural launch, later followed by the Ryzen 9000X3D series, which incorporates AMD's 3D V-Cache technology, significantly enhancing gaming performance. Consequently, AMD has two flagship products: the Ryzen 9 9950X3D from the 3D V-Cache branch and the Ryzen 9 9950X from the main family. In contrast, Intel only has the Core Ultra 200S (codenamed Arrow Lake) series to compete against AMD, with the Core Ultra 9 285K as the singular leader of Intel's army.

Features and Specifications: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

The Ryzen 9 9950X3D features Zen 5 execution cores and adheres to a conventional 16-core, 32-thread configuration. On the contrary, the Core Ultra 9 285K employs a hybrid design, integrating P-cores (Lion Cove) and E-cores (Skymont). Consequently, the Core Ultra 9 285K showcases a 24-core, 24-thread design. With Arrow Lake, Intel went with an approach without Hyper-Threading, so the Core Ultra 9 285K has fewer threads than the Ryzen 9 9950X3D.

Concerning clock speeds, the Ryzen 9 9950X3D exhibits a 16% greater base clock speed than the Core Ultra 9 285K. However, both processors possess identical boost clocks. For cache capacity, the Ryzen 9 9950X3D is equipped with AMD's 3D V-Cache, providing a total cache of 144MB (16MB L2 + 128MB L3). On the other hand, the Core Ultra 9 285K is accompanied by a cache capacity of 76MB (36MB L2 + 40MB L3). Consequently, the Ryzen 9 9950X3D has 3.2X more L3 cache, which is advantageous for gaming and specific workloads.

The Ryzen 9 9950X3D has a 36% greater TDP (Thermal Design Power) or, in Intel's case, PBP (Processor Base Power), than the Core Ultra 9 285K. Nevertheless, the latter features a 9% higher MTP (Maximum Turbo Power). Therefore, the Ryzen 9 9950X3D has superior power efficiency to the Core Ultra 9 285K.

The Ryzen 9 9950X3D and Core Ultra 9 285K support PCIe 5.0 connectivity and DDR5 memory. Both provide 24 high-speed PCIe 5.0 lanes to support the latest graphics cards and PCIe 5.0 SSDs. Regarding memory support, only the Core Ultra 9 285K has embraced CUDIMMs (Clocked Unbuffered Dual In-line Memory Modules), bumping the native supported frequency up to DDR5-6400. As far as conventional DIMMs are concerned, both support DDR5-5600.

Platform longevity favors the Ryzen 9 9950X3D, as the chip resides on the AM5 platform, which was launched in 2022 with AMD's commitment to providing support until 2027. On the other hand, the Core Ultra 9 285K uses the LGA1851 platform, which was released in 2024, but its life span is likely to be limited. There are indications that Intel may refresh Arrow Lake for LGA1851 before transitioning to the LGA1954 platform for forthcoming processors.

⭐ Winner: Tie

Specification-wise, the Ryzen 9 9950X3D has a big L3 cache thanks to AMD's 3D V-Cache technology and lower power consumption overall than the Core Ultra 9 285K. Another of AMD's strengths is the life expectancy of the AM5 platform, which is substantially higher than LGA1851. Investing in the platform now offers a ticket for future processor upgrades.

The LGA1851, in contrast, represents a fading platform. Arrow Lake may be the sole chip to utilize the LGA1851 platform, or possibly Arrow Lake Refresh, assuming the latest rumors are true. This is not particularly surprising, as the typical cadence for Intel sockets has consistently been two or three generations of chips, unlike AMD.

In LGA1851's defense, it is presently the sole platform that completely supports CUDIMMs. One advantage the Core Ultra 9 285K holds over the Ryzen 9 9950X3D is the possibility of leveraging CUDIMMs, such as high-speed memory DDR5-9200 and beyond. Nevertheless, considering the long life span of AM5, it is likely that full CUDIMM support will be introduced for AMD's platform in due course.

Gaming Benchmarks and Performance: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

This article provides an overview of the Ryzen 9 9950X3D and Core Ultra 9 285K's performance metrics. We have also published in-depth individual reviews of these two CPUs, which you can refer to for more details. These graphs show the geometric mean of our gaming test results with these two CPUs at 1080p (1920x1080) resolution.

We paired both CPUs with the Nvidia GeForce RTX 5090 graphics card to minimize potential bottlenecks. Testing at 1080p might seem irrelevant for such a powerful setup, but this resolution allows us to see the full potential of our CPUs in gaming.

The Ryzen 9 9950X3D outperformed the Core Ultra 9 285K in gaming performance. This outcome was anticipated, as gaming performance is the former's most notable strength, attributable to the substantial L3 cache enabled by AMD's 3D V-Cache technology.

Cumulatively, the Ryzen 9 9950X3D yielded average frame rates that were 34% higher than those of the Core Ultra 9 285K throughout our testing suite of 16 games, utilizing a combination of High and Ultra graphical settings at 1080p. Furthermore, the AMD flagship demonstrated a 27% higher result in 1% Lows.

The Ryzen 9 9950X3D and Core Ultra 9 285K hit the market at $699 and $620, respectively. The former presents 0.28 FPS per dollar, while the latter offers 0.23. Despite costing 13% more, the Ryzen 9 9950X3D has more gaming value for your money. While the Ryzen 9 9950X3D has maintained its pricing, the Core Ultra 9 285K has dropped to $589, reaching 0.25.

⭐ Winner: AMD

The Ryzen 9 9950X3D is undoubtedly the better choice for gaming enthusiasts. While the Core Ultra 9 285K is a capable gaming processor, it falls short compared to the Ryzen 9 9950X3D, which is almost 35% faster in average frame rates and close to 30% faster in 1% Lows.

The Ryzen 9 9950X3D has consistently maintained a higher price point than the Core Ultra 9 285K. Notwithstanding the recent price reductions of the Core Ultra 9 285K, the Ryzen 9 9950X3D continues to provide better value in gaming.

Productivity Performance: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

The Ryzen 9 9950X3D flaunts superior multi-threaded performance, but the contest is heated. The Zen 5 processor delivers a mere 3% higher multi-threaded performance than the Core Ultra 9 285K.

Looking at benchmarks individually, there are times when the Core Ultra 9 285K is substantially faster. For example, the Intel chip boasted 18% higher results in POV-Ray or 11% higher in HandBrake x265. The Ryzen 9 9950X3D also has its moments, such as in V-Ray 6, where it outperformed the Core Ultra 9 285K by 17%.

Intel continues to be the leader in single-threaded performance; however, the disparity has been narrowing, as evidenced by the current generation. The Core Ultra 9 285K achieved a 9% better single-threaded overall than the Ryzen 9 9950X3D.

The POV-Ray benchmark clearly favors the Core Ultra 9 285K, which significantly surpassed the Ryzen 9 9950X3D by an impressive 31%. Conversely, the performance delta between the two processors wasn't as big in other workloads.

⭐ Winner: Tie

There is no definitive victor in this comparison. The Ryzen 9 9950X3D has higher multi-threaded performance relative to the Core Ultra 9 285K. Nevertheless, the disparity stands at merely 3%, a difference that may not be noteworthy across all workloads.

Meanwhile, the Core Ultra 9 285K is better at single-thread performance than the Ryzen 9 9950X3D, where the former exhibits a speed increase of 9% over the latter. It can be argued that a loss of 3% is more tolerable than a loss of 9%; this perspective holds validity when one prioritizes a chip for productivity purposes while overlooking gaming considerations.

Overclocking: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

The Ryzen 9 9950X3D and Intel Core Ultra 9 285K have unlocked multipliers and are ready for your manual overclocking endeavors. The quality of overclocking can vary significantly between processors, and currently, we do not possess a substantial number of samples from which to derive definitive conclusions. Our results are primarily based on our overclocking experiences with the single sample available in our lab.

In the context of the Ryzen 9 9950X3D, we activated AMD's Precision Boost Overdrive (PBO) functionality. For the PBO configuration, we utilized the 'advanced' and 'motherboard' power settings, accompanied by a 10X scalar adjustment and an increase of 200 MHz in the clock speed. Furthermore, we implemented a -15 all-core Curve Optimizer offset.

We've also experimented with Intel's latest '200S Boost' feature combined with some manual overclocking. But the long story short is that there isn't much practical headroom for performance gains with fabric overclocking. Intel also offers manual tuning for the P-cores and E-cores, though the actual performance gains are heavily weighted towards the latter.

⭐ Winner: Tie

Unlike the old Pentium, modern processors arrive with little headroom for serious overclocking with conventional cooling. It's a two-way street. On a positive note, you can rest easy at night knowing their chips are at or near their potential. However, on the downside, the art of extracting additional performance at no cost is slowly fading away.

Power Consumption, Efficiency, and Cooling: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

On the contrary, the Core Ultra 9 285K reveals a higher power consumption during various workload scenarios. The Intel chip operates within a power range of 219W to 325W, whereas its AMD counterpart operates between 178W and 228W. Notably, the Ryzen 9 9950X3D has a peak power consumption that is 30% lower than that of the Core Ultra 9 285K.

Most PCs rarely truly idle; users might leave various applications open on the desktop. There's also an 'active idle' use case wherein the user does a low-load activity, such as browsing the web or watching a YouTube video. To model this behavior, we created an active idle test (second slide) with two browser windows open (one with two tabs idling on a website and another window with a 4K YouTube video stream playing). We measure this level of activity across a 15-minute timespan.

The Core Ultra 9 285K has 30% lower idle power consumption than the Ryzen 9 9950X3D. Furthermore, the Core Ultra 9 285 K's active idle power consumption during YouTube playback is particularly notable, as it consumes 39% less power.

The Core Ultra 9 285K was more power efficient in the Linpack workload, displaying a 5% lower watt-hour. The Ryzen 9 9950X3D excelled in the Cinebench 2024 workload, landing a 10% higher watts per point and a 13% lower watts per FPS in the HandBrake x265 test.

The ideal balance is performance at a reduced power consumption. To elaborate, the processor at the bottom right corner of the power efficiency charts represents the best chip in terms of efficiency. The Ryzen 9 9950X3D outperforms the Core Ultra 9 285K in multiple benchmarks.

⭐ Winner: AMD

The Core Ultra 9 285K wins at idle power consumption, but the Ryzen 9 9950X3D consumes less power under load. While both idle and average power consumption should be considered, the latter is ultimately more important since we typically use our systems under heavier use or in 'active idle' conditions rather than letting them truly idle for prolonged periods.

Furthermore, the Ryzen 9 9950X3D has better power efficiency than the Core Ultra 9 285K. A power-efficient processor helps reduce system costs, including processor cooling and power supply capacity expenses. It also positively contributes to electricity savings.

Pricing: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

The Ryzen 9 9950X3D launched last month at $699. Since this processor recently came out of the oven, it's unrealistic to expect any price adjustments. Meanwhile, the Core Ultra 9 285K debuted at $620 in October 2024. Nowadays, you can find the flagship Arrow Lake chip at U.S. retailers for $589, 5% below the launch price.

Intel processors usually maintain their value until the next generation arrives. Therefore, it's unlikely that the Core Ultra 9 285K will officially get any cheaper. You may still find a retailer deal here or there.

To put things in perspective, the Ryzen 9 9950X3D's gaming performance is 34% higher than the Core Ultra 9 285K while being 19% more expensive. The Zen 5 part has a 3% multi-threaded advantage over the Core Ultra 9 285K, but the Intel chip does have up to 9% higher single-threaded performance, though.

⭐ Winner: AMD

At $699, the Ryzen 9 9950X3D may look like a scary investment. However, our results show that even with that hefty price tag, the 3D V-Cache flagship gives you more value for your money in gaming. The multi-threaded performance isn't shabby, but it does lose out to the Core Ultra 9 285K in single-threaded performance.

The Ryzen 9 9950X3D already looks good. However, its appeal will grow further when the pricing starts to decline, whether through official price reductions or retailer promotions during special events such as Black Friday.

Bottom Line: AMD Ryzen 9 9950X3D vs Intel Core Ultra 9 285K

The gaming performance of the Ryzen 9 9950X3D was never in doubt, particularly given that lower-tier Zen 5 components equipped with 3D V-Cache have already surpassed the Core Ultra 9 285K by massive margins. However, the more important question is whether the Ryzen 9 9950X3D possesses any appeal outside the gaming realm. The answer to this inquiry is yes.

In addition to being a great gaming processor, the Ryzen 9 9950X3D can double as a productivity monster, similar to the vanilla Ryzen 9 9950X. Thanks to the Zen 5 architecture and the 16-core, 32-thread configuration, the Ryzen 9 9950X3D has no issues tackling demanding workloads, as long as they benefit from multi-threading. Unfortunately, the Ryzen 9 9950X3D's single-threaded performance lags behind the Core Ultra 9 285K.

However, if you can overlook the Ryzen 9 9950X3D's single-threaded weakness, the Zen 5 chip is a fantastic all-around performer that's power efficient and offers support for the latest technology. And unlike the Core Ultra 9 285K, the Ryzen 9 9950X3D doesn't leave you feeling like you just bought an obsolete processor—at least for a couple of years.

Intel explained the rationale behind its High-NA EUV strategy at its Intel Foundry Direct 2025 conference this week. Despite persistent questions around cost-effectiveness, Intel has championed its use of the new High-NA EUV chipmaking tool with its forthcoming 14A process. However, Intel has not yet fully committed to using the new tool in production, but it has an alternative production flow of its 14A node that uses standard Low-NA EUV as a backup plan.

Intel has already received a second high-NA EUV tool, installed in its Oregon fab, and the company says the technology is progressing well. However, due to continuing development, the ~$400 million ASML Twinscan NXE:5000 High-NA EUV machines haven’t been used in a production environment yet, so Intel isn’t taking any risks.

“[..]The first one is, Intel still has the option to have either a Low-NA or a High-NA solution on our 14A technology, and its design-rule compatible, there will be no impact to the customers, depending on the path that we choose. Second, High-NA EUV is performing to the expectations, and we will introduce it at the right time," said Dr. Naga Chandrasekaran, EVP, CTOO & GM of Intel Foundry Technology and Manufacturing.

"We already have data on 18A as well as 14A that shows yield parity between our Low-NA-based solution and a High-NA-based solution. So, we are continuing to make progress on the technology front and ensuring that we have the right options available for us to make sure the solution we deliver to our customers has the lowest risk and the best reward in terms of the decisions we make,” Naga explained.

Intel will only use High-NA EUV on a small number of layers of the 14A node (the exact number isn’t known), while other machines of varying resolutions will be used for the other layers. That means the decision between the two machines will only impact a select portion of the manufacturing process, but Intel says using triple-patterning with a Low-NA EUV (more below) machine instead of High-NA produces the same results.

Because both techniques are design-rule compatible, Intel’s customers won’t have to change their designs regardless of the company’s decision on the final manufacturing flow, either with or without High-NA EUV, which helps defray concerns that customers might have with Intel embracing an as-yet unproven production technology.

Additionally, Intel’s claim that both production flows offer the same yields signals that there won’t be severe time-to-market repercussions if High-NA EUV development hits a snag, or if Intel chooses not to deploy it due to economics. Employing multipatterning often reduces yields, but Intel's claim of yield parity speaks to the advances of modern multipatterning, particularly in the field of overlay technology.

Most of the public-facing conversations about High-NA EUV have centered around cost, there's plenty of industry speculation that High-NA isn't as cost-effective as multi-patterning with Low-NA EUV, but there are still numerous technological hurdles to bringing the machines into production. Most of the challenges center around the universe of complementary technologies required to make High-NA viable, like resists, photomasks, and computational lithography, among others, which have to be optimized for the new machines.

However, Intel adopted ASML's machine first to get a leg up on the competition, and it has already produced 30,000 wafers using High-NA lithography during the development phase. As a representative explained later in the event, Intel still sees significant cost savings due to eliminating around 40 process steps.

“Finally, I want to talk about High-NA EUV. Why do we do this? It's very simple; It's lower cost. In the middle picture, you see a pattern that has been generated by a single pass High-NA EUV and a pitch that is comparable to the pitch that we need for 14A. The right-hand side shows a very similar pattern generated with a traditional approach, where we use three EUV exposures [triple patterning], and overall about 40 process steps to generate this pattern."

"So, overall, we see much shorter, simpler flow, and this is the type of application where we use High-NA in 14A, which reduces the cost compared to the multi-pass 0.33 NA EUV [Low-NA]. Additionally, this provides the option to de-populate the metal layers and get additional performance enhancement.”

Intel didn't specify whether or not its comparisons are based on a full-reticle-sized print. High-NA can only print half of a reticle at a time, requiring two prints to create one reticle-sized processor and relying upon stitching to bring the two prints together into a single cohesive unit. In contrast, die that are equal to or smaller than a half-reticle size will only require one print with High-NA EUV. In contrast, Low-NA EUV machines can process a full reticle-sized die in a single print.

Thoughts

Intel has plenty of scar tissue from its 10nm node failures that ultimately ended in the company losing its chipmaking lead over TSMC, and it chalks the 10nm issues up to making too many big bets on new manufacturing techniques and technologies at once.

The decision to develop an alternative Low-NA production flow is designed to prevent repeating those past mistakes, and Intel has also de-risked other types of advances by developing alternative solutions in the past.

For instance, the company developed its new backside power delivery system with the 18A node, an industry first, while simultaneously developing gate-all-around (GAA) transistors, a first for Intel. To ensure a backup plan, the company employed a more robust de-risking strategy with its 20A process that included developing an internal-only trial process node without gate-all-around transistors. However, development went well with both GAA and backside power delivery, so Intel pushed forward with the full version of the node.

Intel rival TSMC has confirmed it will not use High-NA with its competing A14 node, and it hasn't indicated when it will employ the new High-NA EUV tool in volume production. Intel had originally planned to use High-NA with its 18A process, which arrives before the 14A node. Intel later changed those plans, saying that the process node's unexpectedly fast development meant the machines wouldn't be ready in time.

Last month, a team of Google security researchers released a tool that can modify microcode of AMD's processors based on the Zen microarchitecture, the Zentool. While this is a security vulnerability, for some, this is an opportunity; Members of the Chinese Jiachen Project are running a contest with an aim to develop a microcode for AMD's modern Zen-based CPU to make them execute RISC-V programs natively. The ultimate goal could be building an ultimate RISC-V CPU using already available silicon. 

x86 is a complex instruction set computer (CISC) instruction set architecture (ISA) developed some 48 years ago. However, internally, modern x86 cores rely on proprietary engines running a reduced instruction set computer (RISC) ISA to handle complicated instructions. The internal RISC ISAs are not documented, but they should generally be similar to well-known RISC ISAs, such as Arm or RISC-V. CPU microcode is a low-level layer that translates complex x86 CISC instructions into simple RISC-like internal instructions the CPU hardware executes. CPU microcode is only supposed be modifiable by CPU vendor, but sometimes this is not the case and apparently some parts of AMD's Zen 1/2/3/4 microcode can be changed using the Zentool. 

The Jianchen Project members want to find someone, who can modify AMD's Zen CPU microcode on a modern processor — say, an EPYC 9004-series — to execute RISC-V binaries. The patch is expected to either enable direct execution of RISC-V programs or significantly boost their runtime speed compared to emulation using the same hardware. The work must be tested using RISC-V versions of benchmarks like Coremark or Dhrystone. A complete submission includes binaries or source code, configuration files, dependencies, and test instructions. If only binaries are submitted before the deadline on June 6, identical source code must be added via pull request later. The winner will get ¥20,000 (approximately $2,735). 

AMD's EPYC 9004-series and similar processors offer performance and core counts not achievable on currently available RISC-V-based processors, so executing proprietary RISC-V programs on EPYCs is a plausible idea. However, microcode is designed to fix internal bugs rather than replace the front-end ISA completely and it is even unclear whether the microcode can be completely re-written, people over at Ycombinator noted. 

Back in the mid-2010s, AMD planned to offer both x86-64 and Armv8-A Zen CPUs (something recently recalled by Mike Clarke, AMD's chief architect), so it is highly likely that there was a microcode for the Zen 1 microarchitecture that supported an Aarch64 front-end ISA. That said, Zen 1 CPUs could feature multiple microcode layer 'slots,' one supporting x86-64 and another Aarch64. We doubt this is the case though as modern CPUs have very thorough hardware performance optimizations that include hardwire optimizations between the microcode and the rest of the core. AMD has hardly ever developed a microcode that supports Aarch64 or RISC-V for Zen 2/3/4 processors and therefore the microcode layer of these CPUs is strictly x86-64 and there is hardly enough microcode space for re-writing them from scratch. 

"This is not achievable," one commenter named Monocasa wrote. "There is not enough rewritable microcode to do this even as a super slow hack. And even if all of the microcode were rewritable, microcode is kind of a fallback pathway on modern x86 cores with the fast path being hardwired decode for x86 instructions. And even if that were not the case the microcode decode and jump is itself hardwired for x86 instruction formats. And even if that were not the case the micro-ops are very non-RISC." 

One commenter criticized the contest format, suggesting it is a way to get complex work done for less than $3,000 pay. 

In general, while the concept of re-writable microcode is an interesting one and stimulates discussion about alternative CPU designs, multi-ISA support, and low-level optimization, it does not look like the contest will achieve the stated goal. Perhaps, re-writing (or rather re-compiling) a RISC-V program or two for x86 CPUs makes more sense?

Another hold has been blown through the hull of the dreaded Akira ransomware attack: Blogger Tinyhack has discovered a new exploit to brute-force the virus's encryption — and has reportedly already used it to restore the data of an attacked company.

Akira is a well-known ransomware cyberattack, used by hackers in November to demand a $125k ransom in baguettes from a French company. It may now be escapable by affected companies thanks to a GPU-based brute-force counterattack. With an RTX 4090, the Tinyhack found they could crack the encrypted ransomware files in seven days, and with 16 GPUs, the process would take just over ten hours.

Akira-based ransomware attacks aimed at high-profile targets; it was first discovered in 2023 and known for ludicrously high ransom requests (sometimes reaching tens of millions of dollars). In 2023, Avast's Threat Research Team found the method Akira used to encrypt victim files, and published a free encryption breaker tool to free computers from the dreaded attack. Akira then patched this high-profile crack, adding some bespoke details to its originally publicly available encryption methods.

At least one Akira variant uses an encryption method that can be decrypted via the new GPU-based brute-force method over a period of days or weeks. The Akira attack uses the chacha8 and Kcipher2 encryption methods to generate per-file encryption keys, using four distinct timestamps, in nanoseconds, as seeds.

These timestamps can be deduced to a tight range of on average 5 million nanoseconds (0.005 seconds), and then precisely found with brute-force, a process requiring top-end GPUs such as Nvidia's RTX 3090 or 4090.

Several things must go right for those hoping to execute the decryption method. Encrypted files must be untouched following the encryption so the timestamp that the file was last accessed can be found and used for the brute-force, for example.

Using an NFS (as opposed to files just living on the network's local disks) can also complicate decryption, as server lag will make it more difficult to determine the true timestamps used by the encryption.

Using an RTX 4090, decrypting a single file by running through every possible nanosecond in the average range of 4.5 million nanoseconds, finding the correct four timestamps, and generating the appropriate decryption keys takes around 7 days. Affected organizations are recommended to rent servers through services like runpod or vast.ai, using multiple GPU servers to bring the time down.

Tinyhack's client took around 3 weeks to successfully decrypt a full set of VM files.

Ransomware attacks are most often impossible to decrypt without paying ransom, so finding a method to circumvent the attack is a big win for cybersecurity research. While those behind Akira will likely quickly patch this method for future attacks as they did after the Avast decryption release, those already hit by Akira may be able to free infected systems with this method.

Tinyhack's blog post runs through the entire process of discovering the vulnerability and full instructions to decrypt with it, so please head there to get an exhaustive look at brute-forcing a way into Akira. Ransomware has come a long way since its beginnings on a floppy disk sent by mail, and today marks another victory against it.

Caspia Technologies has shared its performance details of its CODAx AI-assisted security linter, designed to check processor designs for security violations. In an email to Tom's Hardware, its claimed headlining achievement is that the new tool found 16 security bugs in the popular OpenRISC CPU core. Moreover, the AI checkup stormed through the approximately 32,000 lines of code in the OpenRISC CPU core in under 60 seconds.

The OpenRISC project was introduced to the public 25 years ago and has been adopted in a number of applications, including automotive, media, home entertainment, and telecom devices.

Caspia says it ran the OpenRISC CPU code through a ‘golden reference’ linter, which is widely used across the semiconductor design industry today, yet only uncovered two of the 16 security violations flagged by CODAx.

These security violations in the CPU code can lead to vulnerabilities, which, in this case, Caspia says, can make devices “susceptible to fault injection attacks and improper leakage of sensitive information.” Another example of a vulnerability CODAx found in the OpenRISC core could be exploited when the CPU came out of a reset state.

Florida-based Caspia Technologies explained that CODAx applies over 150 security rules for its processor design checking. Importantly, these rules benefit from “security LLMs trained with the latest vulnerabilities, threat models, and security AI agents,” said the firm.

Today’s PR from Caspia indicates that it is working closely with seven leading technology partners across the industries mentioned above, and more. Moreover, if you work on open-source designs, you can now test CODAx free-of-charge by heading to https://apps.caspia.ai/ in your web browser.

We have previously reported on the use of AI tools for chip design by the likes of Intel. The iconic PC processor firm says it slashed some of its Meteor Lake optimization processes to just minutes using AI tools. Also, both Synopsis and Cadence have been dealing in AI optimized chip design tools for a number of years now.

Caspia’s tool is different in that it focuses on design security and product assurance, its touted ease of use, and its appealing unique access model for open source designs.

The Bybit cryptocurrency exchange had one of its ether wallets compromised on Friday, February 21, which resulted in hackers making off with around $1.5 billion worth of crypto. According to a statement from the FBI on Wednesday, the Democratic People’s Republic of Korea (DPRK or North Korea) was responsible for the hack. The communist country's hackers used TraderTraitor (PDF) applications to gain illicit access to the exchange’s system.

“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains,” the FBI said in its advisory. “It is expected these assets will be further laundered and eventually converted to fiat currency.”

The federal agency has listed over 50 Ethereum addresses tied to the hack in its announcement, all of which hold or have held assets related to the theft. It’s encouraging the private sector to block transactions related to these addresses, especially as the North Korean team is laundering the proceeds and trying to convert them into legal tender.

This isn’t the first massive hack that North Korea has been involved in, with state-sponsored actors targeting everything from developers to private corporations and government institutions. This same group is also suspected of a hack in 2023 that saw it steal about $600 million worth of crypto. The country first came into prominence in the hacking space when it attacked Sony Pictures in 2014 over “The Interview” comedy film, which starred Seth Rogen and James Franco as journalists tasked by the CIA to assassinate North Korean Supreme Leader Kim Jong Un.

Despite having no free public internet in the country, DPRK is known for its elite groups of hackers, like the Lazarus Group, which has allegedly stolen hundreds of millions of dollars across many different financial institutions. It was also credited with the WannaCry ransomware attack in 2017, affecting hundreds of thousands of devices across 150 countries. It has been said that the DPRK government has been using these techniques to make money and support its projects.

This group is often at the forefront of many cryptocurrency attacks, which require both technical and social engineering skills. North Korean hackers are certainly dangerous adversaries when it comes to cybersecurity.

Yesterday, AMD and Google publicly disclosed September findings of a key microcode vulnerability in AMD Zen 1 to Zen 4 CPUs, specifically server/enterprise platform EPYC CPUs. This vulnerability, CVE-2024-56161, is discussed in more detail in the GitHub post from the Google Security Research team and, of course, AMD's security bulletin on the vulnerability.

According to Google's documentation, the original issue was reported on September 25, 2024, and subsequently fixed by AMD about two and a half months later, on December 17, 2024. The public disclosure date was delayed until yesterday, February 3, to give AMD's customers time to apply the fix before the issue became more widespread.

Per AMD's official wording, "Researchers from Google have provided AMD with information on a potential vulnerability that, if successfully exploited, could lead to the loss of SEV-based protection of a confidential guest."

SEV refers to Secure Encrypted Virtualization, a feature used by server-grade AMD CPUs to allow virtualization. This usually means remote or on-site "thin clients" whose data is stored and managed in a central server. The devices they use to access it are so secondary that they sometimes have little to no processing power. The specific setup can vary. Still, the purpose of virtualizing several users is typically to save on hardware costs or provide a higher degree of security—sometimes both.

The loss of SEV-based protection through a microcode exploit means that the otherwise confidential data of virtualized users compromised by this exploit can now be stolen. However, malicious microcode loading could allow for more exploits than data theft.

The specific series of impacted AMD EPYC CPUs include the following: AMD EPYC 7001 (Naples), AMD Epyc 7002 (Rome), AMD Epyc 7003 (Milan and Milan-X), and AMD Epyc 9004 (Genoa, Genoa-X, and Bergamo/Siena). Microcode updates have fortunately already been released for impacted CPUs, so using the appropriate update utilities (BIOS updates, etc.) should work fine— but as AMD notes, a SEV firmware update may be required for some platforms to support the fix via SEV-SNP attestation properly.

Facebook is banning posts that mention various Linux-related topics, sites, or groups. Some users may also see their accounts locked or limited when posting Linux topics. Major open-source operating system news, reviews, and discussion site DistroWatch is at the center of the controversy, as it seems to be the first to have noticed that Facebook's Community Standards had blackballed it.

A post on the site claims, "Facebook's internal policy makers decided that Linux is malware and labeled groups associated with Linux as being 'cybersecurity threats.' We tried to post some blurb about distrowatch.com on Facebook and can confirm that it was barred with a message citing Community Standards.

DistroWatch says that the Facebook ban took effect on January 19. Readers have reported difficulty posting links to the site on this social media platform. Moreover, some have told DistroWatch that their Facebook accounts have been locked or limited after sharing posts mentioning Linux topics.

If you're wondering if there might be something specific to DistroWatch.com, something on the site that the owners/operators perhaps don't even know about, for example, then it seems pretty safe to rule out such a possibility. Reports show that "multiple groups associated with Linux and Linux discussions have either been shut down or had many of their posts removed." However, we tested a few other Facebook posts with mentions of Linux, and they didn't get blocked immediately.

Copenhagen-hosted DistroWatch says it has tried to appeal against the Community Standards-triggered ban. However, they say that a Facebook representative said that Linux topics would remain on the cybersecurity filter. The DistroWatch writer subsequently got their Facebook account locked…

Facebook's overzealous ban on some Linux topics in the name of Community Standards and its protection of its users from threats come with a large ladle full of irony. "Facebook runs much of its infrastructure on Linux," DistroWatch points out, "and often posts job ads looking for Linux developers."

However, the Linux news site was gracious enough not to sneer at Facebook's record of (not) protecting its users. For example, some consider Facebook to have been instrumental in election interference around the world, to have fuelled genocide in Myanmar, and, despite its terrible past, has recently decided to dispose of its independent fact-checkers.

There is some hope that banning Linux links and topics is a temporary blip on the radar. Facebook will soon realize that it has mistaken what is a flock of migratory birds for a squadron of assault drones. DistroWatch notes that it also suffered from an RSS feed ban hammer when Twitter changed its name to X-rated content implying X.

If you have noticed any other Linux-related domains, links, or phrases that Facebook has banned, please tell us in the comments section.

Thirty-five years ago, as December 1989 turned into January 1990, the then-largest ever cybercrime investigation was launched in response to the world's first known example of ransomware. This first ransomware payload was secreted on a 5.25-inch floppy disk titled "AIDS Information — Introductory Diskette 2.0" [h/t Heise.de]. The pioneering ransomware was developed by one American biologist, Dr. Joseph Lewis Andrew Popp Jr., and about 20.000 copies were distributed to subscribers of the magazine PC Business World, various mailing lists, and even to World Health Organization delegates during a conference on AIDS.

As one may be able to deduce by the years and names being thrown around, this attack's choice of target was highly intelligent and the method of delivery exploited people's existing fears of a terrifying new biological virus at a time when knowledge of regular computer viruses was at an all-time low — much less an all-new form of malware meant to extort its victims.

Compared to modern-day attacks, Dr. Popp's rendition of ransomware is a little bit sloppy. Only file names, not the files themselves, were encrypted by this ransomware. Thanks to this, effective software countermeasures ("AIDSOUT" to remove it and "AIDSCLEAR" to check for hidden directories combined into "CLEARAID") were developed by John Sutcliffe and Jim Bates to rescue impacted parties. Unfortunately, several parties still experienced severe financial damages and data loss thanks to the "AIDS Information" ransomware, including an Italian health organization that lost a whopping 10 years of research to the attack.

Interestingly, ransomware pioneer Dr. Popp Jr. wasn't just the most effective cybercriminal in history at this point in time... he also seemed to be at least a little bit crazy. Following several arrests and extraditions, it was concluded that the then-41-year-old Dr. was "mentally unfit to stand trial" by a London psychiatrist, and prior to the trial, had been witnessed wearing condoms on his nose, carrying a cardboard box, and other extremely odd behaviors that diverted him from prison to London's Mausley Hospital.

Now, here in the far future from these events, there is some salt required. After all, this was a very complex and targeted attack to be executed by someone who supposedly didn't have their mental faculties in check. Even the cost of distributing the attack was estimated at around £10,000 British pounds — or about £31,794.86 or roughly $38,600 USD today. There was also the cost of registering "PC Cyborg" and its accompanying accounts in Panama, as well as renting housing in London. However, the ransom demands meant that even just 1% of victims paying the fee would grant a handsome return.

Security researchers have discovered that malicious actors have been using ZIP file concatenation to avoid the detection of the malware within. This technique involves combining multiple ZIP files, with the malware stored in one of the inner archives, making it harder for anti-malware software to discover. Furthermore, researchers at Perception Point (h/t BleepingComputer) noted that the different ways the three most popular file archivers — 7zip, WinRAR, and Windows File Explorer — handle concatenated archives affect detection rates in this type of attack.

ZIP files usually have a single central directory which tells the archiving software where each individual file is located within the archive and where its data starts and ends. However, concatenated archives have two or more central directories, with the file archiver only opening one central directory when a user previews its contents. For example, 7zip only shows the first central directory, while WinRAR would show the second one. On the other hand, Windows File Explorer outright refuses to open concatenated ZIP files (but it would open the second directory if the file is renamed as a .RAR file).

So, if the malicious file is stored in the second directory, users who unpack it using 7zip won’t see the malware at all — only the benign first directory is seen and unpacked. The only indication that there’s another file in the archive is the warning that appears in the extraction window; “There are some data after the end of the payload data”. But if you use WinRAR or Windows File Explorer (with a concatenated .RAR archive), you would be able to see and unpack the malware file.

Note that this is likely an intended behavior based on the popular use cases of some archival software. Most tech-savvy users, including developers and cybersecurity professionals, favor 7zip. So, if they open the suspect file, usually delivered via a phishing email, they won’t see the malicious program, allowing the attack vector to fly under the radar. On the other hand, some would open the archive directly on Windows File Explorer or in WinRAR. Given that the file is delivered via a phishing email, the non-tech savvy users are the obvious targets of this attack. When they open the infected file, it could then connect to the internet to download ransomware, banking trojans, and other types of more advanced malware.

This isn’t the first malicious attack that has taken advantage of the quirks and features of archival software. For example, a security researcher previously discovered the ‘Zip Bomb’ attack where a single 46MB archive expanded into a massive 4.5PB folder, potentially crashing the system opening it. In context, that amount of storage is equal to 4.5 billion high-quality photos at 1MB each or more than 366 years of HD video if one hour consumes 1.4GB. This shows that while security software is an important part of cybersecurity, knowing which files are suspect is still the user’s first line of defense.

Hungry hackers have demanded that France’s Schneider Electric pay a $125,000 ransom in baguettes. Bleeping Computer’s report indicates that a hacker group may have stolen 40GB of data from the major French energy management and automation engineering group, after successfully penetrating the firm’s JIRA system.

Greppy is thought to have (or had) connections with the Hellcat ransomware gang. The above Tweet taunted Schneider about the purported success of a recent cyber attack, and a follow-up post in the thread reveals an example chunk of data. However, fuller details about the purported nature and scale of the data haul, as well as the boulangerie product demands, were published on the dark web.

If the ransom demands aren’t fulfilled, the threat is that sensitive data, including information about company projects, staff, and user data, will be spilled. According to the hacker(s) the stolen info includes: “critical data, including projects, issues, and plugins, along with over 400,000 rows of user data,” which weighs in at 40GB compressed.

However, the hacker(s) indicated, that should Schneider publicly admit to this latest data breach, the ransom would be cut in half. Thus, the ransom demanded would decrease to $62,500 worth of baguettes, we would presume. Even with a 50% deduction, that’s still a lot of dough.

At the time of writing, it is difficult to know exactly whether Schneider has satisfied the ransom admission clause, as it released a statement to Bleeping Computer that doesn’t exactly confirm the scale of the purported breach.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment,” Schneider Electric said to BleepingComputer. The firm also said its Global Incident Response team was on the case straight away, but insisted that “Schneider Electric's products and services remain unaffected.”

Bleeping Computer also talked to Greppy (or Grep), who indicated a new hacking group called ICA had been formed. One which doesn’t extort cash from companies if they admit being breached within 48 hours.

Arizona-based semiconductor manufacturer Microchip Technology detected a cyberattack against its systems on August 17. The company said in a regulatory filing with the SEC that “an unauthorized party disrupted the Company’s use of certain servers and some business operations.” Microchip had to isolate and shut down some affected systems while investigating the cause of the issue, it said.

This inevitably means disruption to operations, with manufacturing output falling below normal levels. Microchip has yet to determine the overall scope, nature, and impact of the attack, so the company has yet to ascertain how the event will affect the company’s bottom line.

"As a result of the incident, certain of the Company’s manufacturing facilities are operating at less than normal levels, and the Company’s ability to fulfill orders is currently impacted. The Company is working diligently to bring the affected portions of its IT systems back online, restore normal business operations and mitigate the impact of the incident," the filing reads.

Microchip Technology did not announce what type of attack hit their systems. There are a few hints that a ransomware attack was the cause, but the company hasn’t given any indication if that is the case. Furthermore, no ransomware group has claimed responsibility for it.

Aside from its wide-ranging client base, the company is also one of the recipients of the American CHIPS Act payouts; the White House considers it crucial for U.S. national security. But as the global semiconductor race is heating up between two powers — China and the U.S. — resulting in a new chip war that will likely last well into the 21st century, state-sponsored cyberattacks are becoming more and more common. Criminal enterprises are also taking advantage of the increased digitization, targeting massive corporations with ransomware and then asking for millions of dollars just to decrypt their files.

Microchip Technology is a major player in the semiconductors industry. It has more than 120,000 customers spread across diverse industries. These include clients in aerospace, automotive, communications, defense, maker and industrial markets.

Whatever the cause and impact of the cyberattack on the company is, a reduction in semiconductor output is never a welcome news in the industry. For example, power outages in Taiwan have historically caused global chip prices to rise. Events like this show how fragile the global semiconductor supply chain is, and it will likely take several more years before it becomes more robust against disruptions.

Ransomware group Brain Cipher has announced that it will reveal its decrypt keys in the wake of a ransomware attack it conducted against Indonesia’s Temporary National Data Center (PDNS). German tech site Golem.de reported the news after the group posted the key, along with instructions on how to decrypt the data, on its website.

“We hope that our attack made it clear to you how important it is to finance the industry and recruit qualified specialists,” the group said Monday. “Our attack did not carry a political context, only a pentest [penetration test] with post payment.”

Brain Cipher even apologized to the wider Indonesian citizenry saying, “Citizens of Indonesia, we apologize for the fact that it affected everyone.” The group claims that it made this move of its own accord, with no prodding from any government agency. Nevertheless, it’s asking for public gratitude for its ‘generous’ action while simultaneously sharing a Monero address for donations.

After it released the decryption keys, Brain Cipher said, “We will wait until the second party [the Indonesian government] has officially confirmed that the key works and the data has been restored.” It will then delete its copy of the data, after verifying that Indonesia’s data centers are accessible again.

This massive ransomware attack has been a major headache for Jakarta, especially after it noticed that the two affected data centers, which house the information for over 230 public agencies, did not have backups available. The group demanded 131 billion Rupiah, or about US$8 million, to release the decryption key. However, even though the government had no backups of its data, it said that it would not pay the ransom.

Indonesia has yet to acknowledge this development or release a statement regarding the attack on its data center as of the time of writing, so we can't be certain that the decrypt keys work. After all, many ransomware attackers are known to accept payment from their victims but still refuse to release the decrypt key(s) for their data. Furthermore, this move by Brain Cipher might merely be an act of publicity for the group to gain some notoriety or donations. So, until Jakarta confirms that its data is safe and available again, we cannot believe that the decrypt key even works.

A cyber attack in Indonesia that’s been called the worst in years exposed a critical mistake in the country’s information technology policy. Almost none of the data in one of the two data centers hit by the ransomware attack is backed up, meaning it cannot be restored other than by decrypting the affected servers’ storage systems.

The attack happened on June 20, when a “non-state actor” compromised Indonesia’s Temporary National Data Center (PDNS) using a variant of the LockBit 3.0 malware called Brain Cipher. This software not only extracts sensitive data but also encrypts it on the servers. The attacker has demanded a ransom of $8 million, which the government says it does not intend to pay.

The attack affected over 230 public agencies in Indonesia, including ministries, and severely disrupted several critical national services. These included important government services such as immigration and operations at major airports.

After the impact became clear, Indonesian President Joko Widodo ordered an audit of the country’s data centers. Muhammad Yusuf Ateh, who leads Indonesia’s Development and Finance Controller (BPKP), said the audit would cover “governance and the financial aspect” of the cyberattack.

An official from Indonesia’s cyber security agency told Reuters that 98% of the government data stored in one of the two compromised data centers had not been backed up. While the data center had the backup capacity to store the data, it wasn’t required. Many government agencies did not use the backup service because of budget constraints.

Since then, some have called for Budi Arie Setiadi, Indonesia’s communications director, to resign his post. Setiadi’s ministry is responsible for running the data centers. Setiadi, they say, has failed to take responsibility for multiple cyber attacks on the nation.

The commission chair investigating the incident, Meutya Hafid, said, “If there is no back up, that's not a lack of governance. That's stupidity.”

Indonesian authorities say they are trying to decrypt the data themselves. The team expects to have all government services fully restored by August.

Microsoft has been working hard to wedge you into its ecosystem, and it appears to have taken one step further by making OneDrive backups an opt-out feature. OneDrive is Microsoft’s cloud drive service, much like Google Drive and iCloud. It comes standard with 5GB of free storage for anyone who signs up for a Microsoft Account, which you’ll likely do from now on, since the company recently turned off the easy bypass to Windows 11’s online setup.

While Apple and Google offer online backups on their devices, these are opt-in, and you can always decline them before either of them starts syncing your device contents. However, Microsoft is irking its users by turning on OneDrive backups by default, as discovered by Neowin, thus anyone who intends to complete a clean Windows 11 install is currently being surprised by OneDrive desktop icons and drive folders on their newly installed operating system. 

If you prefer backing up your files via the cloud, OneDrive is an excellent option, especially as it seamlessly syncs with Windows File Explorer. However, there are times when users want to only backup specific files, and there are also situations when you want a clean PC with no bloat. If that is the case, then automatic OneDrive synchronization with a new PC would indeed be an unwanted annoyance.

Microsoft has clearly been pushing its users towards its closed ecosystem. For example, the company removed official instructions on how to convert your Windows 11 Microsoft Account login into a local account from its guide page. So, if you didn’t install Windows 11 using the local account bypass, you have to find less-official results to find instructions on converting your login account. Microsoft Edge will ask you why you’re moving to Chrome if you download its installer. Furthermore, even if you’ve already set a different default browser, searching from the Start Menu will still pull up the results on Edge — one of the company’s shady practices when it comes to anti-competitive behavior in Windows 11.

In fairness to Microsoft, OneDrive is one of the more affordable cloud storage options on the market at $2 a month. It’s also quite a robust product, with features including file versions, which helps protect you in case of file loss or a ransomware attack. However, shoving it down users’ throats isn’t the way to go if you want them to pay for it. Instead, the company should make using OneDrive a more seamless experience so much so that people will want to use it over Google Drive or iCloud. Or at least it should ask users first if they want to turn on device syncing via OneDrive, so they can get a clean install if they want to.

Microsoft's principal program manager, Ned Pyle, addressed new security changes with Windows 11 24H2 via the Microsoft blog. The changes will deny access to unsecured routers with USB ports and some Network Attached Storage devices. Pyle mentions that the upcoming upgrade abandons the much earlier variants of the Server Message Block (SMB) protocol and hence the potential issue.

Pyle explains that SMB1 is over forty years old, and warnings of its demise have been echoed since 2022. The Windows 11 24H2 takes one step forward, as it requires SMB signing by default, which will avoid tampering on the network. Guest fallback will be disabled on Windows 11 Pro Edition, which provides better security as it allows access to an SMB server without a username or password. 

This added security is long overdue as SMB signing has been available in Windows for thirty years as an option. Guest in Windows was deprecated twenty-five years ago, while the Guest fallback option was disabled in Windows 10 Enterprise, Education, and Pro for Workstation editions. These security implementations have also been present in Windows Insider Dev, and Canary builds for a year. Pyle says that this change in Windows 11 24H2 will secure over a billion devices as it will force NAS and router makers to update unpatched devices. 

SMB signing could serve as an added layer of security against malicious programs that access unsecured servers without the user's knowledge and permission to transfer data. Pyle explains that the devices can no longer be tricked into connecting to a malicious server without login credentials, blocking access to ransomware or malicious programs designed to steal data. 

However, this would also mean blocking access to your NAS since it can't differentiate between a server with malicious intent or a trusted NAS that doesn't have the necessary protocols. Pyle explains that, as a result, it would generate the following error:

• 0xc000a000
• -1073700864
• STATUS_INVALID_SIGNATURE
• The cryptographic signature is invalid

NAS makers to follow suit?

Despite being disabled by default, one could revert the changes at the cost of having a less secure system. This is where device manufacturers must provide a security patch to unsecured devices. 

Pyle explains that Microsoft would like to know if users have routers with USB ports and NAS units that do not support SMB signing. He says, "If you have a third-party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share it with the world and perhaps get the vendor to fix it with an update."

It's also likely that the respective NAS and routers with USB ports may have the SMB signing but possibly turn it off by default. Users could probably turn it on via the NAS management software. However, this may encourage NAS and router makers to turn these off by default while providing the ability to turn on the SMB guest fallback option should the user need it. 

Helping to secure one's network-attached drives is always going to be seen in a positive light by several users. It is also unlikely many NAS makers would risk being named by Microsoft as an unsecured device. Still, you'll never know until Windows 11 24H2 is released and, eventually, a list of unsecured NASs is published. 

This isn't the only security provision provided with Windows 11 24H2, but only time will tell how many users would be affected by this change.

BitLocker has been weaponized again by the new "ShrinkLocker" ransomware attack. The attack uses novel methods to make a classic BitLocker attack more pervasive and dangerous than ever before, and it has already been used against governments and manufacturing industries. 

Kaspersky, known for its Kaspersky Anti-Virus and class-leading malware research, identified the new strain in Mexico, Indonesia, and Jordan, so far only against enterprise PCs. Attacks using BitLocker, an optional Windows feature that encrypts PC hard drives commonly used in the enterprise world, are not new. But ShrinkLocker is unique thanks to new innovations.

ShrinkLocker uses VBScript, an old Windows programming script set to deprecate starting with Windows 11 24H2, to identify the specific Windows OS used by the host PC. A malicious script then runs through BitLocker setup specific to the operating system, and enables BitLocker accordingly on any PC running Vista or Windows Server 2008 or newer. If the OS is too old, ShrinkLocker deletes itself without a trace. 

ShrinkLocker then shrinks all drive partitions by 100MB and uses the stolen space to create a new boot partition, hence "Shrink" Locker. ShrinkLocker also deletes all protectors used to secure the encryption key, making it unrecoverable by the victim later. The script creates a new random 64-character encryption key, sends it and other information about the computer to the attacker, deletes the logs that stored ShrinkLocker's activity, and finally forces a shut-down of the PC, using the newly created boot partition to fully lock and encrypt all drives on the PC. The PC and every byte of data on it is now fully unusable.

The attack leaves its targets floundering, with bricks for hard drives. The creator of the ShrinkLocker attack must have had an "extensive understanding" of a variety of obscure Windows internals and utilities to craft the attack, which left almost no trace. Kaspersky's experts could not find any way to identify the source of the attack or the source where information was sent, but they did find the ShrinkLocker script left behind on the single drive of one affected PC that did not have BitLocker configured. 

For a ransomware attack, the attacker also did not make it easy to find where to send the ransom in question. The script changes the name of the new boot partitions to the attacker's email, but this requires more digging to spot than simply editing the BitLocker recovery screen, an easy enough task for a hacker of this caliber. This makes it likely that the attack is focused more on disruption and data destruction than ransom. 

IT professionals will already be familiar with mitigation steps for these attacks: Make frequent backups, restrict users' editing privileges so they cannot edit their BitLocker settings or registries, and seek out high-level EPP or MDR solutions to track and secure your network. Kaspersky obviously suggests their own products for this in their technical report on the attack. 

For the full details of the attack and the ShrinkLocker script, Kaspersky has a full technical analysis. While BitLocker is currently only a feature of "Pro" or enterprise Windows releases, Microsoft will enable BitLocker for all users starting with Windows 11 24H2, and automatically activate it on reinstallation, so beware of BitLocker attacks making a move to the individual PC world. 

Japanese optical technology leader Hoya Corporation recently admitted (PDF) to being affected by an “IT system incident affecting the functional IT systems of our headquarters and several of our business divisions.” However, according to France’s LeMagIT, the incident would be better described as a ransomware attack, with Hoya facing demands for $10 million to unlock encrypted files and for the hackers to keep secret the data stolen during the security breach. Hoya is an essential player in the semiconductor industry as a leader in the development of products for EUV lithography. As a result, its trade secrets could be particularly valuable to rivals or sanctioned nations.

According to reports, the Hoya cyberattack was undertaken by ‘Hunters International.’ This group is thought to have formed after collaborative work between the FBI and law enforcement in Germany and the Netherlands dismantled the notorious ransomware-as-a-service group known as Hive. Despite the evidence, Hunters International denies any affiliation with Hive.

Some of the purported details of the Hunters International ransomware demand are that the group asked for $10 million for a file decryptor. Also, part of the deal would be a pledge by the ransomware group not to release any of the 1.7 million files (2TB of data) that it stole during the hack(s) on Hoya computers.

Interestingly, Hunters International claims to be applying a non-negotiation, no-discount policy to its Hoya data haul. This news morsel again needs a pinch of salt, as neither any ransomware group nor Hoya has released communications to confirm the true nature of the ‘incident’ affecting Hoya’s servers. However, LeMagIT’s screenshots, allegedly taken from “Hunters International infrastructure,” are an obvious smoking gun.

Hoya’s key IT products

• Mask blanks and photomasks for semiconductor manufacturing
• Photomasks for flat panel displays
• Glass disks for hard disk drives
• Optical glass / optical lenses
• Colored glass filters
• Laser equipment / UV light resources

As we mentioned in the intro, this isn’t just commercial and customer data at stake. Hoya Corporation is a pillar of the West’s advanced semiconductor advantage over sanctioned countries like China, Russia, and other despotic nations. Hopefully, action will be taken, and data won’t be sold to or ‘accidentally’ leaked to sanctioned countries.

Yesterday, IBM released a blog post detailing its technology for AI-enhanced protection against malware including ransomware on its SSDs, the fourth generation of IBM's FlashCore Module (FCM) technology. As detailed by them, the latest revision of FCM (FCM4) now supports artificial intelligence, but applied for the purpose of detecting and responding to cybersecurity threats as they arise.

Previous generations of FCM are already capable of scanning all incoming data without impacting performance, but lack the enhanced features of AI. FCM4 monitors statistics for every single I/O operation, and uses machine learning to detect threats like ransomware in under a minute.

This approach from IBM joins the likes of other self-protecting SSD storage. For example those made by Cigent and Phison and other, more performance-intensive hardware protection methods. 

Focusing on IBM's solutions, though, let's talk about more than just threat detection. By measuring data parameters like compressibility, randomness and entropy, the IBM Storage Insights software can alert users to an anomaly. The FCM4 technology gathers real-time IO data which machine learning models use to determine a threat.  By integrating FCM with IBM's Storage Defender Software, IBM can leverage AI detection and data recovery operations on both the software side and the hardware side.

Of course, making the most of these technologies and their assorted backup, restore, and protection features is currently limited to high-end applications. While day-to-day SSDs may one day see protection like this, IBM's FCM technology and corresponding software is targeted squarely at enterprise and professional users, particularly ones needing to deal with high-sensitivity or confidential information.

By dramatically increasing the speed at which ransomware and other malicious activities can be detected, removed, and repaired from storage, IBM has shown that machine learning AI actually can be the ideal choice for some workloads. 

While the ethics and morals of "generative AI" in art, music and literature are quite rightly being debated, the use of AI in this application means better security for enterprise users. Even the most seasoned IT security pros would be hard-pressed to detect and start reversing a ransomware attack within a single minute, but a job like that might actually be perfect for these ever-evolving machine learning models.

Microsoft will stop supporting Windows 10 on October 14, 2025, which could render 240 million PCs obsolete for consumers and businesses due to lack of free security updates and technical support. Since many of Windows 10 systems are too old to run Windows 11, many users will have to pay Microsoft for extended support or buy new PCs. Some may want to preserve their existing machines and not pay Microsoft, which will be dangerous due to lack of security updates, but Google seems to have a solution.  

Google suggests you migrate to cloud-based ChromeOS Flex, which will keep receiving regular security updates and support for at least some time, Google tells to owners of Windows 10-based PCs that are too outdated to run Windows 11. The lightweight operating system that can be easily installed on Windows devices using a USB stick. If people adopt ChromeOS Flex, this will prevent millions of PCs from becoming electronic waste, which is good for the planet. 

In addition, ChromeOS Flex provides numerous other advantages, including regular security updates, data encryption, and potentially improved performance for older devices. It also promises lower IT support costs, making it an attractive option for businesses. The operating system is compatible with various Chrome Enterprise solutions, catering to a wide range of business needs such as fleet management, kiosk deployment, and ransomware recovery. 

But there is one thing that Google's ChromeOS does not offer, and which could render the operating system useless for the vast majority of owners of Windows 10-based PCs. For obvious reasons, ChromeOS does not support Windows applications and many users — both businesses and consumers — of outdated Windows machines use their PCs to keep using programs they know and like. Google is addressing this issue by enabling users to stream these legacy applications, enhancing ChromeOS's adaptability in the business environment, but it cannot stream tens of thousands of applications in use today and streaming requires stable Internet connection, which somewhat reduces appeal of this solution. 

"ChromeOS Flex is the perfect (and free!) answer for Windows 10 users with perfectly good hardware who feel abandoned by the shift to Windows 11," said Naveen Viswanatha, ChromeOS Head of Commercial Product at Google. "Whether you are a consumer trying to make the most of the money you have already spent, or an IT manager looking at a fleet of PCs that you need to replace to stay secure, consider ChromeOS Flex." 

But users do not seem to be convinced, ChromeOS currently holds a modest 1.78% share of the global PC OS market, trailing far behind Windows's dominant 73% share and MacOS's substantial 16.11% share as of January, 2024, according to StatCounter.com.

Bitlocker is one of the most easily accessible encryption solutions available today, being a built-in feature of Windows 10 Pro and Windows 11 Pro that's designed to secure your data from prying eyes. However, YouTuber stacksmashing demonstrated a colossal security flaw with Bitlocker that allowed him to bypass Windows Bitlocker in less than a minute with a cheap sub-$10 Raspberry Pi Pico, thus gaining access to the encryption keys that can unlock protected data. After creating the device, the exploit only took 43 seconds to steal the master key.

To do this, the YouTuber took advantage of a known design flaw found in many systems that feature a dedicated Trusted Platform Module, or TPM. For some configurations, Bitlocker relies on an external TPM to store critical information, such as the Platform Configuration Registers and Volume Master Key (some CPUs have this built-in). For external TPMs, the TPM key communications across an LPC bus with the CPU to send it the encryption keys required for decrypting the data on the drive.

Stacksmashing found that the communication lanes (LPC bus) between the CPU and external TPM are completely unencrypted on boot-up, enabling an attacker to sniff critical data as it moves between the two units, thus stealing the encryption keys. You can see his method in the video below. 

With this in mind, the YouTuber decided to test an attack on a ten-year-old laptop with Bitlocker encryption. His specific laptop's LPC bus is readable through an unpopulated connector on the motherboard, located right next to one of the laptop's M.2 ports. This same type of attack can be used on newer motherboards that leverage an external TPM, but these typically require more legwork to intercept the bus traffic.

To read data off the connector, the YouTuber created a cheap Raspberry Pi Pico device that could connect to the unsecured connector just by making contact with the metal pads protruding from itself. The Pico was programmed to read the raw 1s and 0s off from the TPM,  granting access to the Volume Master Key stored on the module.

Stacksmashing's work demonstrates that Windows Bitlocker, as well as external TPMs, aren't as safe as many think because the data lanes between the TPM and CPU are unencrypted. The good news is that this attack method, which has been known for some time, is relegated to discrete TPMs. If you have a CPU with a built-in TPM, like the ones in modern Intel and AMD CPUs, you should be safe from this security flaw since all TPM communication occurs within the CPU itself. 

Industrial & Commercial Bank of China Ltd., which is listed as the world's largest bank, was recently affected by a crippling ransomware attack. Specifically, the cyberattack targeted its U.S. division, ICBC Financial Services (ICBC FS), based in New York.

It has been reported that the incident, which disrupted several of the company's systems responsible for settling financial transactions, impacted the trading of U.S. Treasury securities earlier this week. Instead of settling transactions electronically via secure systems, ICBC FS was forced to rely on messengers carrying USB thumb drives around Manhattan, NY loaded with the settlement details.  

"Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems," said ISBC FS in a notice on its website. "ICBC FS has been conducting a thorough investigation and is progressing its recovery efforts with the support of its professional team of information security experts. ICBC FS has also reported this incident to law enforcement."

With China becoming more tightly interwoven in the U.S. financial sector, disruptions like these are certain to draw a lot of scrutiny. In fact, ICBC is the only Chinese broker with the necessary clearance as a securities broker in the U.S.

"ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication," added Chinese foreign ministry spokesperson Wang Wenbin in response to the ransomware attack. 

For its part, the U.S. Treasury is monitoring the situation. "We are aware of the cybersecurity issue and are in regular contact with key financial sector participants, in addition to federal regulators. We continue to monitor the situation," said a spokesman who gave a statement to Bloomberg.

ICBC has not publicly indicated who may have been behind the ransomware attack, but security researchers believe that LockBit is responsible. LockBit has attacked high-profile companies across the globe, including Boeing and the Royal Mail of the U.K. LockBit 3.0 malware was allegedly used in the attack, which is difficult to detect and harden defenses against because, "each instance of the malware requires a unique password to run without which analysis is extremely difficult or impossible," according to VMWare.

Cyber cyber intelligence firm Flashpoint reported in July that LockBit is by far the most prolific purveyor of ransomware globally.

The LockBit ransomware group claims it has hacked TSMC, with TSMC stating that one of its suppliers has been breached. The cybercriminals are demanding a ransom of $70 million by August 6 and threaten to leak considerable amount of sensitive data. TSMC told SecurityWeek that its network had not been breached, but one of its IT hardware suppliers had indeed been hacked.

"TSMC has recently been [made] aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration," a statement by TSMC sent to Tom's Hardware reads. "At TSMC, every hardware component undergoes a series of extensive checks and adjustments, including security configurations, before being installed into TSMC’s system. Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any [of] TSMC’s customer information."

In response to the security breach and in accordance with its security guidelines, TSMC immediately ceased data sharing with the affected supplier. TSMC indicated that this is a routine procedure given the breach. At present, a law enforcement agency is investigating this cybersecurity occurrence.

"After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the Company's security protocols and standard operating procedures," the foundry stated. "TSMC remains committed to enhancing the security awareness among its suppliers and making sure they comply with security standards. This cybersecurity incident is currently under investigation [and] involves a law enforcement agency."

The notorious ransomware group published its initial threat on June 29 and gave TSMC seven days to respond; otherwise, a vast amount of sensitive information would be published. It then extended the 'deadline' to August 6. The group published a screenshot containing an @tsmc.com email.

TSMC claims that it did not fall victim to the cyberattack. The supplier affected by the attack is Kinmax Technology, a Taiwan-based systems integrator specializing on networking, storage, database management and, ironically, security. Kinmax Technology works with various multinational companies, including Cisco, HPE, Microsoft, Citrix, VMware, and Nvidia.

Kinmax itself claims that while the breach did take place, only its ' internal specific testing environment' was attacked, resulting in an information leak. The majority of the data that was exposed was related to the default setup instructions that the company delivers to its clients, according to the system integrator. Kinmax expressed its deepest regrets to the clients impacted because "the leaked data contained customer names, causing potential inconvenience." The company claims that it has put stronger security protocols in place to ensure such situations do not arise in the future.

Files purloined during the substantial MSI hack last month have started to proliferate around the dark web. One of the more worrying things spotted among the digital loot is an Intel OEM private key. MSI would have used this to sign its firmware/BIOS updates to pass Intel Boot Guard verification checks. Now hackers can use the key to sign malicious BIOS, firmware and apps, which will look entirely like official MSI releases.

Update (5/8/2023): Intel has now issued a statement, nothing that the keys are generated by the OEM (MSI) not Intel itself.

“Intel is aware of these reports and actively investigating. There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel® BootGuard. It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”

In the wake of being hacked last month, MSI began to urge customers to source firmware/BIOS updates exclusively from its official website. The well known PCs, components and peripherals firm was being extorted by a ransomware group called Money Message. Apparently the extortionists had swiped 1.5TB of data, including various source code files, private keys, and tools to develop firmware. Reports said that Money Message were asking for over four million dollars, to return the entirety of the data back to MSI. Over a month has passed, and it looks like MSI hasn't paid up. Therefore, we are now seeing the fallout.

Intel Boot Guard ensures that PCs only can run verified apps before boot. In a white paper about 'below-the-OS-security (PDF), Intel talks with some pride about its BIOS Guard, Boot Guard, and Firmware Guard technologies. Boot Guard is a "key element of hardware-based boot integrity that meets the Microsoft Windows requirements for UEFI Secure Boot." Sadly, it is not longer going to be a useful 'guard' for a wide range of MSI systems.

Tweets published by Binarly (a supply chain security platform) and its founder Alex Matrosov, neatly spell out the dangers presented by this leak of Boot Guard keys and other data in the MSI haul. A GitHub page linked by Binarly lists the 57 MSI PC systems which have had firmware keys leaked, and the 166 systems which have had Intel Boot Guard BPM/KM keys leaked.

If you care to look through the lists of affected machines, you will see all the familiar MSI series, such as Sword, Stealth, Creator, Prestige, Modern, Cyborg, Raider, Titan. Owners of these systems with Intel Core 11th Gen Tiger Lake CPUs or newer will have to strictly adhere to MSI-site only updates.

In addition to the Boot Guard worries, it is possible that hackers will try and phish users into heading to a fake MSI site or downloading fake MSI apps. These apps can now be signed and will appear to genuinely be from MSI, so could execute without triggering your AV.

This leak has certainly made a mess, and it isn't clear whether the leaked keys can be revoked, or what the next steps from parties involved will be. At the time of writing we haven't seen any official reaction from MSI or Intel regarding the files which are now going public. Please avoid checking the stolen files on the dark web or other sources, as they might now be laced with malware. 

Cigent Technology, Inc., a specialist in data security, has announced the company's new lineup of Cigent Secure SSD+ drives. Unlike the company's previous Secure SSD series, the Cigent Secure SSD+ debuts with a unique AI microprocessor that uses machine learning (ML) to stop ransomware attacks and prevent perpetrators from stealing or encrypting the data on the drive.

The Cigent Secure SSD+ focuses on a prevention-first approach, to impede ransomware attacks before they can do any damage. This means allocating the attack prevention inside the storage itself. The integrated AI microprocessor monitors the SSD's activity with ML algorithms to fight ransomware attacks. In addition, consumers can tweak the detection sensitivity to their needs to avoid false positives.

Together with the company's Cigent Data Defense software, the Secure SSD+ has a couple of protection mechanisms in place once it detects a potential attack. For example, the SSD can go into a "Shields Up" mode, requiring multi-factor authentication (MFA) from users to access protected files. In addition, the software can automatically contain the data on the drive to block any unauthorized access from malware or Windows processes. Alternatively, users can put the drive in read-only mode so attackers can't modify, erase or encrypt the data for ransom.

Once an attack is detected, the Cigent Data Defense software gives security personnel a heads-up to activate "Shields Up" on other Cigent-protected systems on the network, even if they don't house a Secure SSD+.

The Cigent Secure SSD+ logs all data access to the drive, so it's nearly impossible for criminals to cover their tracks in an attempt to steal any data. Furthermore, the company has implemented safeguards to prevent bad actors from disabling security controls. Additionally, an embedded storage firmware hides the SSD's data if the Cigent Data Defense software is disabled. Finally, a future update will reportedly prevent criminals from closing, wiping, or accessing the data if the drive is booted from a different operating system.

There are a few caveats with the Cigent Secure SSD+, though. First, consumers need to install the SSD as the primary drive with the operating system. In its current form, ransomware detection is only available on Windows, although Linux support should arrive soon. Finally, the ML algorithm, although mature, isn't perfect. So some files may fall victim to ransomware before the protection kicks in.

The full Cigent Secure SSD+ specifications are unknown at this point. The manufacturer only confirmed that it's an M.2 2280 drive with a double-sided design. Therefore, the SSD may not fit ultra-thin laptops. The Cigent Secure SSD+ will be available in May 2023, so we should have more information on the performance and pricing very soon.

Gaming hardware manufacturer MSI confirmed today that it was the victim of a cyberattack. In a brief statement on its website, the company said that the attack hit "part of its information systems," which have since returned to regular operations.

The company advises its customers only to get BIOS and firmware updates from the MSI website and no other sources. It's light on details, saying that after "detecting network anomalies," MSI implemented "defense mechanisms and carried out recovery measures," and then informed the the government and law enforcement.

"MSI is committed to protecting the data security and privacy of consumers, employees, and partners, and will continue to strengthen its cybersecurity architecture and management to maintain business continuity and network security in the future," the unsigned blog post reads.

The post doesn't mention if customer data was stolen or affected. Tom's Hardware reached out to MSI but did not hear back in time for publication. In addition, emails to official spokesperson addresses listed on the company's website bounced.

The first signs of the cyberattack surfaced yesterday in a report from BleepingComputer, which showed that a ransomware group called Money Message had claimed to have stolen source code, a "framework to develop bios [sic]" and private keys. In addition, the site saw chats that suggested the group claimed to have stolen 1.5TB of data and asked for a ransom payment of over four million dollars. It's unclear if these are related or if MSI paid a ransom.

This isn't the first hardware manufacturer to see this kind of attack in recent memory. Just last month, a hacker stole 160GB of data from Acer off of a document server meant for repair technicians. (Acer also had 60GB of data stolen in October 2021.)

In recent years, we've seen Quanta, Nvidia, and other major hardware manufacturers investigate potential cyberattacks. Clearly, the desire for bad actors to access data from major hardware vendors, which could then potentially spread into client computers, isn't going away anytime soon.

Acer has confirmed that there has recently been unauthorized access to at least one of its internal servers. The confirmation came in a statement sent to Bleeping Computer, which had enquired about a hacker offering 160GB of “confidential stuff” for sale to the highest bidder.

The screenshot below shows a forum post by the hacker who claims to have purloined Acer’s data. Acer says the data came from a document server that served as a repair technician resource. However, the hacker claims that there is a range of confidential data now in their hands that doesn’t seem entirely characteristic of the resource Acer describes. For example, repair technicians typically wouldn’t need or have access to data such as “confidential slides/presentations.” However, other stolen data boasted about by the hacker does seem to gel with Acer’s description of the resource, with things like technical manuals, ISO and other software images, product keys, BIOS data, and ROM files in the haul.

The data was apparently swiped in mid-February of this year. In total, there is said to be 160GB of stolen data up for sale on the web, which consists of 655 directories and 2,869 files. In addition, some data samples were provided to back up the server hack's claims.

There has not been a price set for the looted data. For their trouble, the hacker is touting for bids, looking for PMs via the forum shown in the screenshot. A couple of conditions are attached to the ‘auction,’ with an intermediary required for the sale to proceed, and a payment that must be made in the Monero cryptocurrency (XMR).

No Indication Customer Data Compromised, Says Acer

Acer’s investigation into the admitted breach is still ongoing, but it remains quite sure that there was no customer data stored on the affected server.

As the fifth largest PC maker in the world, Acer is a big target for hackers, and it seems to have been unlucky in recent years; with over 60GB of its data stolen in October 2021, and in March of the same year, it paid up $50 million to a ransomware gang that threatened to leak confidential documents. Some may attribute frequent data breaches to carelessness, and such a perception isn’t good for PC and server makers seeking to court and keep enterprise customers.

Microsoft rebranded Office 365 to Microsoft 365 in Oct. 2022, part of its effort to slowly take the long-running "Office" brand out of the limelight. At the time, the company didn't make any significant changes to the subscription tiers or features offered. But that will change later this month with the addition of a new Microsoft 365 Basic tier, which will cost $1.99/month ($19.99/year).

Microsoft 365 Basic slots between Microsoft 365 (free) and Microsoft 365 Personal ($6.99/month). It replaces the previous 100GB OneDrive storage subscription and adds some perks. Microsoft says customers can expect these features with the new tier:

• 100GB cloud storage
• Works on Windows, macOS, iOS, and Android
• Web and mobile versions of Word, Excel, PowerPoint, OneNote, OneDrive, and more
• Ad-free Outlook web and mobile email and calendar with advanced security (data encryption, suspicious link cheer, malware scanning for attachments)
• Microsoft technical support

The extra functionality seems like a nice upgrade for users currently getting by with just the 100GB OneDrive storage tier. In addition, Microsoft says it will add "even better advanced security features" later this year, including shared links that are password-protected, and ransomware recovery.

While the inclusion of Office is welcome, we should note that this tier only includes the basic, web-based versions of Microsoft's popular productivity apps, which are available for free. To access the "premium" desktop versions of Word, Excel, PowerPoint, and OneNote, you'll have to step up to Microsoft 365 Personal.

Microsoft was quick to point out that Jan. 29, 2023 marks the 10th anniversary of Office 365. The high-end Office 365 Home Premium subscription initially included only 20GB of cloud storage. Today, the Microsoft 365 Personal tier offers 1TB of OneDrive storage. In addition, the flagship Microsoft 365 Family tier for consumers ($9.99/month) supports up to six people, each with their own 1TB allotment of OneDrive storage.

Microsoft 365 Basic will be available starting Jan. 30. Current 100GB OneDrive subscribers will automatically be shifted to the newer, more feature-packed tier.

RansomHouse, a relatively new extortion group, claims to have "more than 450Gb" of hacked data from AMD, according to a report from Restore Privacy. @campuscody has also independently posted information about the stolen data. The RansomHouse extortion group claims to not use ransomware or conduct breeches itself — instead, it claims to serve as "professional mediators" for negotiations between attackers and victims to secure payments for stolen data. We reached out to the company, and AMD issued the following statement to Tom's Hardware:

"AMD is aware of a bad actor claiming to be in possession of stolen data from AMD. An investigation is currently underway." AMD representative to Tom's Hardware.

Restore Privacy says it has reviewed data posted by RansomHouse that appears to include "network files, system information, as well as AMD passwords." However, it isn't clear yet if that data is genuine, or whether it comes directly from an attack on AMD or one of its subcontractors. As such, the attack remains unverified. 

Expanding the above tweet, you can see the group's posting on its website. RansomHouse has added AMD to a list of companies that it says "have either considered their financial gain to be above the interests of their partners/individuals who have entrusted their data to them or have chosen to conceal the fact they have been compromised," implying that AMD hasn't paid a ransom. 

The group claims that AMD used simple passwords like 'password' to protect its networks, leading to the breach. RansomHouse's posting says that AMD's network was breached on January 5, 2022, and that it is in possession of 450Gb of stolen data. Notably, the "Gb" used by the group means 450 gigabits of data, or 56.25 gigabytes (GB). We're not yet sure if the group has merely misused Gb or if this is the correct value. 

RansomHouse emerged in December 2021 and established an extortion market in May 2022. The group claims the Saskatchewan Liquor and Gaming Authority (SLGA) as its first victim, with other purported victims, like ShopRite, added later. 

News of the attack comes in the wake of the famed 'Gigabyte Hack' that found 112GB of data stolen from AMD partner Gigabyte. That information was later posted by the RansomEXX hacking group after Gigabyte/AMD apparently refused to pay a ransom. As a result, information about AMD's forthcoming Zen 4 processors was divulged prior to launch, and it later proved to be genuine information. We'll update as we learn more about this recent event. 

NAS specialist QNAP, whose tribulations we’ve mentioned previously in these pages, has released a high-severity security advisory warning of a flaw that may allow attackers to gain remote code execution privileges on an affected storage device.

The bug is in PHP and affects NAS boxes running QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. It was already patched in QTS 5.0.1.2034 build 20220515 and later, as well as QuTS hero h5.0.0.2069 build 20220614 and later.

The problem appears to be in the part of PHP that deals with FPM and isn't a new vulnerability. It's been known about in theory for three years, but only now has it been shown to be exploitable. FPM is a FastCGI Process Manager that a webserver passes requests to and which can spawn and kill PHP processes as needed. If set up in a particular way, this FPM can be manipulated into writing data past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Note that this is totally different from QNAP's recent unfortunate experience with Deadbolt ransomware. The reason why QNAP, out of all the NAS vendors, appears to have so many problems is that it's both very popular and takes a conscientious approach to issuing security advisories and deploying patches. Given that the vulnerability hasn't been patched for all QNAP operating systems yet, it has been assigned the status 'Fixing.'

In the meantime, QNAP recommends users update to the latest firmware for their storage box. This can be done in the system control panel, using the Live Update panel, or by downloading an update file directly from the QNAP website.

QNAP branded Network Attached Storage (NAS) device users are being asked to rush to apply patches again. In a security bulletin spotted by Bleeping Computer, QNAP NAS users are warned that attacks by bad actors applying Deadbolt ransomware have been spotted by the QNAP Product Security Incident Response Team (QNAP PSIRT). The vulnerability being patched could leave you with your  files encrypted unless you cough up some Bitcoin for a decryption key. 

According to QNAP, there are two main families of its NAS devices being targeted with the Deadbolt ransomware: the TS-x51 series and TS-x53 series. If the word "main" sounds rather vague, QNAP explains further that the current attack wave is targeting NAS devices using the QTS 4.3.6 and QTS 4.4.1 operating systems. If you are still not quite sure if this affects you, you might as well check and apply any OS updates available anyway.  Better safe than sorry. Moreover, QNAP is asking all of its users to "avoid exposing their NAS to the Internet."

If you are wondering about whether your NAS is exposed to the internet, QNAP provided guidance with regard to blocking such remote access back in January -— after its last set of warnings about Deadbolt ransomware vulnerabilities. At that time, it recommended users block port forwarding on their home router and disable UPnP in the NAS control panel, as well as toggling off SSH and Telnet connections. To use your NAS away from your home intranet, QNAP would prefer you to use your router VPN, if you have one, or to securely access your QNAP NAS via the Internet through myQNAPcloud Link app.

Those who get their NAS devices infected with Deadbolt ransomware will find it has hijacked your QNAP NAS device login page with a notice about what it has done, and ways to pay to get access to your files returned.  Deadbolt will go through your files, encrypting them using the AES128 algorithm and appending .deadbolt extensions to the filenames. To recover your files you will be asked to pay a ransom in a Bitcoin transaction.

Bleeping Computer reports that Windows users affected by Deadbolt can use a free decryption app, published by ransomware expert Michael Gillespie. However NAS users won't have this option at their disposal and will have to pay up for the decryption key.

QNAP NAS hack attacks have been in the news often in recent months. The two most recent reports concerned the Dirty Pipe Linux exploit, and a cryptojacking malware attack.