WELCOME BACK TO DIGITAL BRIDGE. I'm Mark Scott, and this weekend marked May 4th — also known as Star Wars Day, for those who follow such things. This video plays in my head every time I have to explain the Star Wars basics to a non-fan.

For anyone in Brussels on May 15, I'll be co-hosting a tech policy gathering in the EU Quarter. We're running a waiting list, so add your name here and we'll try to open up some more slots.

— The transatlantic relationship on tech is in the worst shape in decades. Here are some ways to improve it — even if wider political tension remain.

— A far-right candidate won the first round of Romania's presidential election. Europe has not responded well to the digital fall-out.

— Media freedom has been significantly curtailed over the last decade amid people's shift toward social media for their understanding of the world.

Let's get started:

LET'S BE CLEAR: THE TRANSATLANTIC RELATIONSHIP on tech is the worst I've seen in 20 years. The White House has already made clear it views European Union digital regulation as akin to protectionist tariffs, as well as an unfair check on free speech. The Berlaymont Building — home to the European Commission — has struggled to secure high-level meetings for its digital officials whenever they've made it to Washington. It also has doubled down on internal efforts to promote European economic interests over those from outside the bloc via public funds dedicated to the next generation of emerging technology.

In short, Brussels and Washington are talking past each other. Even when United States and EU officials disagreed — as they often did — in the past, there was always an informal line of communication between policymakers to ease tensions. That came from individuals, on both sides, who had invested a significant amount of personal capital in building ties with each other. People met at conferences. They swapped cellphone numbers. They built professional, and sometimes personal, relationships with their counterparts in each respective city.

I wouldn't say those networks are completely gone. But they are certainly on life support. It has left the world's two most important democratic powers at a crossroads. And on digital policymaking, I'm seeing more and more signs that the EU and other parts of the democratic world (with the significant exceptions of the United Kingdom and Japan) now willing to distance themselves from their one-time trusted ally.

But after I outlined that theory a couple of weeks ago in Digital Politics, many of you got in touch with a fair criticism. We get things are bad, went the emails. But where are the areas of common ground that can keep the (digital) embers alive — even if the transatlantic fire looks like it's going out?

Fair point. It's easy to criticize. It's harder to offer solutions. So here goes.

First, one chess piece worth taking off the board. In many European capitals, there's a growing interest in working directly with US state leaders, most notably governors who have taken on an increasing leadership position on tech just as Washington has given up that role. I wouldn't put my eggs in that basket — even if that could include working directly with California on areas like artificial intelligence standards and international data flow rules.

Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.

Here's what paid subscribers read in April:
— Why digital services won't be on the front line of the unfolding global trade war; Donald Trump's extension of the TikTok sale/ban doesn't solve any of the underlying problems; How different generations consume online media. More here.
— The idea that any tech giant has a monopoly on social media misunderstands how we all use these platforms; What's behind Brussels' renewed attempt to "streamline" its digital rulebook; Annual corporate investment in AI has grown 13-fold over the last decade. More here.
— Non-US policymakers are seriously considering how to pull back from the US on tech; The transatlantic consensus that Google is a monopoly will have long-term consequences, but it will take time to play out; Digital-focused civil society groups worldwide have been hurt by cuts in US government support. More here.
— Canada's recent election shows the limits on how the online world can shape offline politics; How to understand the European Commission's collective $790 million antitrust fine against Meta and Apple; Brussels will spend $66 million this year to enforce its online safety regime. More here.

As much as many would like to bypass the current situation in Washington (and I mean the wider morass of nothingness on tech, excluding the recent Take it Down Act that will likely be signed by Donald Trump), few, if any, foreign governments are willing to publicly push ahead with such US state-based digital diplomacy out of fear of negating decades-old international norms that national governments speak to other national governments on such foreign policy issues. Basically, working directly with US states is a non-starter for most non-US government officials.

OK, so where can we find common ground? Weirdly, antitrust policy feels like the most secure US-EU digital issue where both sides are forging ahead with a new collective consensus. Yes, the White House may not like the EU's Digital Markets Act (though it has remained mostly quiet about the recent fines against Meta and Apple, respectively.) And yes, many EU competition officials look at the decades of Washington's stalled antitrust investigations into Big Tech as a sign the US is too slow and/or too unwilling to act.

But in the last five years, there's been a growing consensus across the Atlantic that 1) parts of Silicon Valley have abused their market dominance; 2) consumers and smaller rivals have been unfairly affected by those actions; and 3) aggressive antitrust enforcement — including the potential break-up of some of these tech companies — is the only way to re-level the market.

If that doesn't sound like a first step toward a rekindled transatlantic relationship on tech, then I don't know what does.

Next, to the thorniest of topics: platform governance. Trump's aversion to European-style online safety rules is well-known. It was mostly shared by his Republican and Democratic predecessors in the White House. Brussels, too, hates the fact its internal media landscape is dominated by the likes of Instagram and YouTube.

But where both sides equally agree is that more needsto be done to protect minors for online predatory behavior, scams and potentially abusive content algorithms that have led to a series of EU and US efforts aimed at boosting digital child safety. Yes, this is not a like-for-like comparison. Some in the US have given parents too much control over what their kids can see on social media. Some in the EU want to impose age verification standards — in the name of child safety — that would fundamentally undermine how the current internet works.

But the basic premise — that children must be better protected as they navigate the online world — is an issue that both sides of the current transatlantic divide can agree on. What better way to maintain some form of ongoing EU-US relationship on tech?

The third area goes out to all the uber-wonks among us. Washington and Brussels should double down on the geekiest of digital technocratic standards as a means of bridging the political divide. That includes technical discussions that have thrived, for decades, in international and multi-stakeholder organizations like the 3rd Generation Partnership Project, or 3GPP, which sets global standards for telecommunications networks. Yes, I told you this stuff was geeky.

That would allow European and US officials — and, by extension companies — to continue talking, even if their political masters ratchet up the transatlantic trade dispute. It would also provide a greater level of certainty for American and EU businesses to invest in the digital world which is, according to both Brussels and Washington, an ongoing political objective.

So there you have it: competition, child safety and tech standards. Three areas that could be a foundation for ongoing talks and cooperation amid an increasingly geopolitical period. Runners-up tech topics also include: cybersecurity, defense and data flows. If you're interested in me unpacking those, let me know here.

The $64 million question is whether Washington and Brussels are willing and/or able to see beyond their short-term political fight to allow apolitical officials to continue the digital work they've been doing for years.

In normal circumstances, I would certainly hope so. But as anyone who has spent time in either Brussels or Washington this year will attest to, we're not living in normal circumstances. And even the hope of finding non-partisan digital topics upon which the transatlantic relationship can be rekindled feels more like a hope, currently, than a legitimate policymaking objective.

For some bonus content, here are my latest pieces for Tech Policy Press on how the US is pulling back from its global leadership on digital policy and how the EU is embracing its inner Trump, on tech, to Make Europe Great Again.

Chart of the Week

REPORTERS WITHOUT BORDERS, a nonprofit organization, compiles a yearly index that tracks five indicators — security, social, legislative, political and economic — on the health of countries' domestic media ecosystems.

The last decade has not been good. The chart on the left, from 2013, highlights that while the likes of China and Saudi Arabia scored poorly across the board, democratic states — including the majority of Europe and North America — were still viewed as "satisfactory" (the light orange color.)

Fast forward to 2025, and many of those democratic countries, including the US, have fallen (see chart on the right) into the "problematic" category (the dark orange color). That includes many parts of Central and Eastern Europe, too.

Source: World Press Freedom Index

What happened in Romania? Take Two

AS DIGITAL POLITICS WENT TO PRESS on May 4, George Simion, a far-right ultra-nationalist politician, had won the first round of Romania's presidential election. The leader of the anti-vaccine Alliance for the Union of Romanians secured 41 percent of the vote — less than the majority Simion would need to win outright. He will now face a run-off, on May 18, with Nicușor Dan, the mayor of Bucharest, garnered 21 percent of the first round vote.

For the latest on Romania's presidential election, see here, here and here.

The reason Romania is holding a do-over on its presidential election is because of claims, during the previous vote in November, that pro-Russian politician Calin Georgescu unfairly used TikTok to woo voters in his unlikely first-round victory. The ultra-nationalist politician came out of the blue to top the first-round poll, and national regulators accused the China-linked platform of failing to uphold the country's electoral rules.

In an unprecedented step, Romania's intelligence services then released redacted documents (overview here) accusing foreign actors (they didn't mention Russia, but that was the inference) of conducting 85,000 cyberattacks on the country's election infrastructure. They also suggested there was a cross-platform influence operation involving pro-Georgescu Telegram channels that coordinated messages which people could then post to TikTok and Facebook. The spooks said similar tactics had been used in Ukraine — but, again, Moscow was never specifically mentioned in the redacted documents.

Digital Politics now reaches thousands of tech-savvy readers worldwide. If you're interested in sponsoring the newsletter, get in touch here.

Not surprisingly, TikTok pushed back hard against accusations it had any role in Romania's last presidential election. It released a series of cherry-picked reports (see here and here) about how the platform had removed spam accounts, promoted authoritative information to voters and took down waves of false likes and follow requests.

In December, a senior Romanian court annulled Georgescu's presidential first-round win, in part because of the declassified intelligence documents. That same month, the European Commission opened an investigation into TikTok's role in the Romanian vote, focusing on how the tech giant may have failed to mitigate election-related risks. In February, Georgescu was placed under investigation for mostly potential campaign financing irregularities. And in March, he was barred from standing in this week's presidential re-run.

I get it. That's a lot to take in — especially for most of us who are not Romanian politics experts.

But what is central to the wider digital debate is that a presidential election of democratic European country was annulled based on unsubstantiated claims that one of the candidates had unfairly benefited from a social media campaign that, potentially, had ties to Russia. That then led to both domestic and EU investigations into campaign financing irregularities and the role of a foreign-owned social media platform in a European country's nationwide vote.

To date, no one has yet to be convicted of a crime. Brussels has yet to publish any evidence of TikTok's role in allowing a coordinated influence campaign to flourish on its platform ahead of the November election.

If true, both sets of accusations — related to Georgescu's alleged campaign financing issues and TikTok's role in the November presidential election — would be grounds for potentially annulling the first-round presidential election. And there is an argument that given the speed of events, local judges and the European Commission had no choice but to step in, even if no actual evidence had yet to be shown to a court to prove any of the accusations.

But my fear is that in annulling the first round election in November, and then barring Georgescu from standing in this weekend's vote, Romania's court has given ultranationalists and pro-Russian politicians an easy victory in the battle for hearts-and-minds.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Simion, another far-right ultra-nationalist politician, came first in the latest first-round presidential vote — and was closer to the 50 percent mark to secure an outright victory than many had expected. It's hard to argue there isn't a public groundswell of support for such opinions, now that similar pro-Russian presidential candidates have topped the polls in consecutive votes. And yes, TikTok was used again to communicate with voters. But its role in this weekend's election, based on what has been made public, was not significant compared to other means of reaching would-be supporters.

In jumping headlong into Romania's domestic politics, the European Commission also has over-stepped its role within the bloc's online safety regime, known as the Digital Services Act. Those rules do have a remit when it comes to election-related matters.

But by pulling the emergency cord in response to November's now-annulled election — via its ongoing investigation into TikTok's role in that vote — Brussels has made it easier for critics to claim the EU is willing to use its digital regulation to change voting decisions that officials in Brussels do not agree with.

I get it. That's not what is happening with the ongoing TikTok probe. But the perception for many on the outside is that the European Commission is weaponizing the Digital Services Act as part of efforts to nudge Romanians to vote against pro-Russian, far-right politicians.

That's just not a good look for the 27-country bloc as both domestic and non-EU influencers ramp up claims that Europe's online safety rules are an anti-democratic effort to censor online voices with whom it disagrees.

What I'm reading

— The Future of Privacy Forum breaks down all you need to know about South Korea's new AI regulatory framework. More here.

— Ireland's Data Protection Commission fined TikTok $600 million for failing to protect Europe's data via data transfer to China. TikTok's response here.

— International Association of Privacy Professionals explains why Colorado is reconsidering its approach to regulating artificial intelligence. More here.

— Researchers from the University of Zurich used AI-generated content in online discussions on Reddit to see if such content could change people's minds. The study received significant pushback for failing to gain consent of the people targeted by the AI-generated content. More here and here.

— The DSA40 Data Access Collaboratory published an in-depth FAQ on how Europe's online safety rules allow independent researchers to access platform data. More here.

digitalpolitics.co/newsletter0…

Global ransomware trends and numbers

With the International Anti-Ransomware Day just around the corner on May 12, Kaspersky explores the ever-changing ransomware threat landscape and its implications for cybersecurity. According to Kaspersky Security Network data, the number of ransomware detections decreased by 18% from 2023 to 2024 – from 5,715,892 to 4,668,229. At the same time, the share of users affected by ransomware attacks increased by 0.02 p.p. to 0.44%. This smaller percentage compared to other cyberthreats is explained by the fact that attackers often don’t distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents.

That said, if we look at incidents at organizations requiring immediate incident response services that were mitigated by Kaspersky’s Global Emergency Response Team (GERT), we’ll see that 41.6% of them were related to ransomware in 2024, compared to 33.3% in 2023. Targeted ransomware is likely to remain the primary threat to organizations around the world for the foreseeable future.

Below are some of the global trends that Kaspersky observed with ransomware in 2024.

Ransomware-as-a-Service (RaaS) dominance

The RaaS model remains the predominant framework for ransomware attacks, fueling their proliferation by lowering the technical barrier for cybercriminals. In 2024, RaaS platforms like RansomHub thrived by offering malware, technical support and affiliate programs that split the ransom (e.g., 90/10 for affiliates/core group). This model enables less-skilled actors to execute sophisticated attacks, contributing to the emergence of multiple new ransomware groups in 2024 alone. While traditional ransomware still exists, the scalability and profitability of RaaS make it the primary engine, with platforms evolving to include services such as initial access brokering and data exfiltration, ensuring its dominance into 2025.

Some groups continue to go cross-platform, while Windows remains the primary target

Many ransomware attacks still target Windows-based systems, reflecting the operating system’s widespread use in enterprise environments. The architecture of Windows, combined with vulnerabilities in software such as Remote Desktop Protocol (RDP) and unpatched systems, makes it a prime target for ransomware executables. In recent years, however, some attackers have diversified, with groups like RansomHub and Akira developing variants for Linux and VMware systems, particularly in cloud and virtualized environments. While Windows remains the epicenter, the growing focus on cross-platform ransomware signals a shift toward exploiting diverse infrastructures, especially as organizations adopt hybrid and cloud setups. This is not a new trend, and we expect it to persist in the coming years.

Overall ransomware payments down, average ransom payment up

According to Chainalysis, ransomware payments dropped significantly in 2024 to approximately $813.55 million, down 35% from a record $1.25 billion in 2023. On the other hand, Sophos reports that the average ransom payment surged from $1,542,333 in 2023 to $3,960,917 in 2024, reflecting a trend of targeting larger organizations with higher demands. This report also highlights that more organizations paid ransoms to get their data back, although other reports indicate that fewer organizations paid ransoms than in 2023. For example, according to Coveware, a company that specializes in fighting ransomware, the payment rate hit a record low of 25% in Q4 2024, down from 29% in Q4 2023, driven by law enforcement crackdowns, improved cybersecurity and regulatory pressures discouraging payments.

While encryption remains a core component of many ransomware attacks, the primary goal for some groups has shifted or expanded beyond locking data

In 2024, cybercriminals increasingly prioritized data exfiltration alongside, or sometimes instead of, encryption, focusing on stealing sensitive information to maximize leverage and profits or even extending threats to third parties such as customers, partners, suppliers, etc. Encryption is still widely used, but the rise of double and triple extortion tactics shows a strategic pivot. RansomHub and most modern ransomware groups often combine encryption with data theft, threatening to leak or sell stolen data if a ransom is not paid, making exfiltration a critical tactic.

Dismantled or disrupted ransomware actors in 2024

Several major ransomware groups faced significant disruptions in 2024, though the ecosystem’s resilience limited the long-term impact. LockBit, responsible for 27.78% of attacks in 2023, was hit hard by Operation Cronos in February 2024, with law enforcement seizing its infrastructure, arresting members and unmasking its leader, Dmitry Khoroshev. However, despite these efforts, LockBit relaunched its operations and remained active throughout 2024.

ALPHV/BlackCat, another prolific group, was dismantled after an FBI operation in December 2023, though affiliates migrated to other groups such as RansomHub. The Radar/Dispossessor operation was disrupted by the FBI in August 2024, and German authorities seized 47 cryptocurrency exchanges linked to ransomware laundering. Despite these takedowns, groups like RansomHub and Play quickly filled the void, underscoring the challenge of eradicating ransomware networks. However, according to the latest research, the RansomHub group presumably paused their operations as of April 1, 2025.

Some groups disappear, others pick up their work

When ransomware groups disband or disappear, their tools, tactics and infrastructure often remain accessible in the cybercriminal ecosystem, allowing other groups to adopt and enhance them. For example, groups like BlackMatter or REvil, after facing pressure from law enforcement, saw their code and methods reused by successors like BlackCat, which in turn was followed by Cicada3301. Disappearing groups may also sell their source code, exploit kits or affiliate models on dark web forums, enabling emerging or existing gangs to repurpose these resources. In addition, malicious tools are sometimes leaked to the internet, as was the case with LockBit 3.0. As a result, many smaller groups or individuals unrelated to the ransomware developers, including hacktivists and low-skilled cybercriminals, get hold of these tools and use them for their own purposes. This cycle of knowledge transfer accelerates the evolution of ransomware as new actors build on proven strategies, adapt to countermeasures, and exploit vulnerabilities faster than defenders can respond. In telemetry, these new groups using old toolkits can be identified as old groups (e.g., LockBit).

Ransomware groups increasingly developing their own custom toolkits

This is done to increase the effectiveness of their attacks and avoid detection. These toolkits often include exploitation tools, lateral movement tools, password attack tools, etc. that are tailored to specific targets or industries. By creating proprietary tools, these groups reduce their reliance on widely available, detectable exploits and maintain control over their operations. This in-house development also facilitates frequent updates to counter defenses and exploit new vulnerabilities, making their attacks more resilient and harder for cybersecurity measures to mitigate.

General vs. targeted ransomware share

Targeted ransomware attacks, aimed at specific organizations for maximum disruption and payout, focus on high-value targets such as hospitals, financial institutions and government agencies, leveraging reconnaissance and zero-day exploits for precision. General ransomware, which spreads indiscriminately via phishing or external devices, often affects smaller businesses or individuals with weaker defenses. The focus on targeted attacks reflects cybercriminals’ preference for larger ransoms, though general ransomware persists due to its low-effort, high-volume potential.

According to Kaspersky research, RansomHub was the most active group executing targeted attacks in 2024, followed by Play.

Each group’s share of victims according to its data leak site (DLS) as a percentage of all reported victims of all groups during the period under review (download)

AI tools used in ransomware development (FunkSec)

FunkSec emerged as a ransomware group in late 2024 and quickly gained notoriety, claiming multiple victims in December alone and outpacing established groups like Cl0p and RansomHub. Operating on a Ransomware-as-a-Service (RaaS) model, FunkSec employs a double extortion tactic that combines data encryption with exfiltration. The group targets sectors such as government, technology, finance and education in countries including India, Spain and Mongolia.

FunkSec is notable for its heavy reliance on AI-assisted tools, particularly in malware development. Its ransomware features AI-generated code with comments that are perfect from a language perspective, suggesting the use of large language models (LLMs) to streamline development and evade detection. Unlike typical ransomware groups that demand millions, FunkSec’s ransoms are unusually low, adopting a high-volume, low-cost approach.

Bring Your Own Vulnerable Driver attacks continue

Bring Your Own Vulnerable Driver (BYOVD) is an increasingly prevalent technique used in ransomware attacks to bypass security defenses and gain kernel-level access on Windows systems.

With BYOVD, attackers deploy a legitimate but vulnerable driver – often digitally signed by a trusted vendor or Microsoft – on a target system. These drivers, which operate at the kernel level (ring 0) with high privileges, contain exploitable flaws that allow attackers to disable security tools, escalate privileges or execute malicious code undetected. By leveraging signed drivers, attackers can evade Windows’ default security checks.

Although BYOVD is an advanced technique, there is a range of open-source tools like EDRSandblast and Backstab that lower the technical barriers and simplify such attacks. According to the Living Off The Land Drivers (LOLDrivers) project, hundreds of exploitable drivers are known, highlighting the scale of the problem. Attackers continue to find new vulnerable drivers, and tools like KDMapper allow mapping of unsigned drivers into memory via BYOVD, complicating defenses.

Regional ransomware trends and numbers

Share of users whose computers were attacked by crypto-ransomware, by region. Data from Kaspersky Security Network (download)

In the Middle East and Asia-Pacific regions, ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity. Enterprises in APAC were heavily targeted, driven by attacks on infrastructure and operational technology, especially in countries with growing economies and new data privacy laws.

Ransomware is less prevalent in Africa due to lower levels of digitization and economic constraints, which reduce the number of high-value targets. However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organizations vulnerable, though the smaller attack surface means the region remains behind global hotspots.

Latin America also experiences ransomware attacks, particularly in countries like Brazil, Argentina, Chile and Mexico. Manufacturing, agriculture, and retail, as well as critical sectors such as government and energy are targeted, but economic constraints and smaller ransoms deter some attackers. The region’s growing digital adoption is increasing exposure. For example, NightSpire ransomware compromised Chilean company EmoTrans, a logistics company serving key industries in Chile such as mining, agriculture and international trade. The group first appeared in March 2025, and attacked government institutions, manufacturers and other companies in various parts of the world. Like many other groups, NightSpire uses the double extortion strategy and has its own data leak site (DLS).

The Commonwealth of Independent States (CIS) sees a smaller share of users encountering ransomware attacks. However, hacktivist groups like Head Mare, Twelve and others active in the region often use ransomware such as LockBit 3.0 to inflict damage on target organizations. Manufacturing, government, and retail are the most targeted sectors, with varying levels of cybersecurity maturity across the region affecting security.

Europe is confronted with ransomware, but benefits from robust cybersecurity frameworks and regulations that deter some attackers. Sectors such as manufacturing, agriculture, and education are targeted, but mature incident response and awareness limit the scale of attacks. The region’s diversified economies and strong defenses make it less of a focal point for ransomware groups than regions with rapid, less secure digital growth.

For example, RansomHub claimed responsibility for a 2024 attack on Kawasaki’s European offices, disrupting operations across multiple countries. The breach compromised customer and operational data, affecting supply chains for Kawasaki’s motorcycle and industrial products in Europe. The regional impact was significant in countries such as Germany and the Netherlands, where Kawasaki has a strong market presence, highlighting vulnerabilities in Europe’s manufacturing sector.

Change in the share of users whose computers were attacked by crypto-ransomware, by region, 2024 compared to 2023. Data from Kaspersky Security Network (download)

Emerging threats and future outlook

Looking ahead to 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalizing on the expanding attack surface created by interconnected systems. As organizations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.

Ransomware groups are also likely to escalate their extortion strategies, moving beyond double extortion to more aggressive approaches such as threatening to leak sensitive data to regulators, competitors or the public. The Ransomware-as-a-Service model will continue to thrive, allowing less-skilled actors to launch sophisticated attacks by purchasing access to pre-built tools and exploit kits. Geopolitical tensions may further drive hacktivism and state-sponsored ransomware campaigns targeting critical assets, such as energy grids or healthcare systems, as part of hybrid warfare. Smaller organizations with limited cybersecurity budgets will face heightened risks as attackers exploit their weaker defenses. To adapt, businesses must adopt zero-trust security models, secure IoT ecosystems and prioritize employee training to mitigate phishing and social engineering threats.

The proliferation of large language models (LLMs) tailored for cybercrime will further amplify ransomware’s reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less-skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use them to automate their attacks as well as new code development, making the ransomware threat even more prevalent.

Recommendations

To effectively counter ransomware in 2025, organizations and individuals must adopt a multi-layered defense strategy that addresses the evolving tactics of groups like FunkSec, RansomHub and others that leverage AI, Bring Your Own Vulnerable Driver (BYOVD) and double extortion.

Prioritize proactive prevention through patching and vulnerability management. Many ransomware attacks exploit unpatched systems, so organizations should implement automated patch management tools to ensure timely updates for operating systems, software and drivers. For Windows environments, enabling Microsoft’s Vulnerable Driver Blocklist is critical to thwarting BYOVD attacks. Regularly scan for vulnerabilities and prioritize high-severity flaws, especially in widely used software like Microsoft Exchange or VMware ESXi, which were increasingly targeted by ransomware in 2024.

Strengthen endpoint and network security with advanced detection and segmentation. Deploy robust endpoint detection and response solutions such as Kaspersky NEXT EDR to monitor for suspicious activity like driver loading or process termination. Network segmentation is equally important – limit lateral movement by isolating critical systems and using firewalls to restrict traffic. Implement a zero-trust architecture that requires continuous authentication for access.

Invest in backups, training and incident response planning. Maintain offline or immutable backups that are tested regularly to ensure rapid recovery without paying a ransom. Backups should cover critical data and systems and be stored in air-gapped environments to resist encryption or deletion. User education is essential to combat phishing, which remains one of the top attack vectors. Conduct simulated phishing exercises and train employees to recognize AI-crafted emails used by FunkSec and others for stealth. Kaspersky GERT can help develop and test an incident response plan to minimize potential downtime and costs.

The recommendation to not pay a ransom remains robust, especially given the risk of unavailable keys due to dismantled infrastructure, affiliate chaos or malicious intent, as seen in the 2024 disruptions. By investing in backups, incident response and preventive measures like patching and training, organizations can avoid funding criminals and mitigate the impact. Kaspersky also offers free decryptors for certain ransomware families. If you get hit by ransomware, check to see if there is a decryptor available for the ransomware family used in your case. Note that even if one isn’t available right now, it may be added later.

securelist.com/state-of-ransom…

Not too long ago, I was searching for ideas for the next installment of the “Big Chemistry” series when I found an article that discussed the world’s most-produced chemicals. It was an interesting article, right up my alley, and helpfully contained a top-ten list that I could use as a crib sheet for future articles, at least for the ones I hadn’t covered already, like the Haber-Bosch process for ammonia.

Number one on the list surprised me, though: sulfuric acid. The article stated that it was far and away the most produced chemical in the world, with 36 million tons produced every year in the United States alone, out of something like 265 million tons a year globally. It’s used in a vast number of industrial processes, and pretty much everywhere you need something cleaned or dissolved or oxidized, you’ll find sulfuric acid.

Staggering numbers, to be sure, but is it really the most produced chemical on Earth? I’d argue not by a long shot, when there’s a chemical that we make 4.4 billion tons of every year: Portland cement. It might not seem like a chemical in the traditional sense of the word, but once you get a look at what it takes to make the stuff, how finely tuned it can be for specific uses, and how when mixed with sand, gravel, and water it becomes the stuff that holds our world together, you might agree that cement and concrete fit the bill of “Big Chemistry.”

Rock Glue

To kick things off, it might be helpful to define some basic terms. Despite the tendency to use them as synonyms among laypeople, “cement” and “concrete” are entirely different things. Concrete is the finished building material of which cement is only one part, albeit a critical part. Cement is, for lack of a better term, the glue that binds gravel and sand together into a coherent mass, allowing it to be used as a building material.
What did the Romans ever do for us? The concrete dome of the Pantheon is still standing after 2,000 years. Source: Image by Sean O’Neill from Flickr via Monolithic Dome Institute (CC BY-ND 2.0)
It’s not entirely clear who first discovered that calcium oxide, or lime, mixed with certain silicate materials would form a binder strong enough to stick rocks together, but it certainly goes back into antiquity. The Romans get an outsized but well-deserved portion of the credit thanks to their use of pozzolana, a silicate-rich volcanic ash, to make the concrete that held the aqueducts together and built such amazing structures as the dome of the Pantheon. But the use of cement in one form or another can be traced back at least to ancient Egypt, and probably beyond.

Although there are many kinds of cement, we’ll limit our discussion to Portland cement, mainly because it’s what is almost exclusively manufactured today. (The “Portland” name was a bit of branding by its inventor, Joseph Aspdin, who thought the cured product resembled the famous limestone from the Isle of Portland off the coast of Dorset in the English Channel.)

Portland cement manufacturing begins with harvesting its primary raw material, limestone. Limestone is a sedimentary rock rich in carbonates, especially calcium carbonate (CaCO₃), which tends to be found in areas once covered by warm, shallow inland seas. Along with the fact that limestone forms between 20% and 25% of all sedimentary rocks on Earth, that makes limestone deposits pretty easy to find and exploit.

Cement production begins with quarrying and crushing vast amounts of limestone. Cement plants are usually built alongside the quarries that produce the limestone or even right within them, to reduce transportation costs. Crushed limestone can be moved around the plant on conveyor belts or using powerful fans to blow the crushed rock through large pipes. Smaller plants might simply move raw materials around using haul trucks and front-end loaders. Along with the other primary ingredient, clay, limestone is stored in large silos located close to the star of the show: the rotary kiln.

Turning and Burning

A rotary kiln is an enormous tube, up to seven meters in diameter and perhaps 80 m long, set on a slight angle from the horizontal by a series of supports along its length. The supports have bearings built into them that allow the whole assembly to turn slowly, hence the name. The kiln is lined with refractory materials to resist the flames of a burner set in the lower end of the tube. Exhaust gases exit the kiln from the upper end through a riser pipe, which directs the hot gas through a series of preheaters that slowly raise the temperature of the entering raw materials, known as rawmix.
The rotary kiln is the centerpiece of Portland cement production. While hard to see in this photo, the body of the kiln tilts slightly down toward the structure on the left, where the burner enters and finished clinker exits. Source: by nordroden, via Adobe Stock (licensed).
Preheating the rawmix drives off any remaining water before it enters the kiln, and begins the decomposition of limestone into lime, or calcium oxide:

The rotation of the kiln along with its slight slope results in a slow migration of rawmix down the length of the kiln and into increasingly hotter regions. Different reactions occur as the temperature increases. At the top of the kiln, the 500 °C heat decomposes the clay into silicate and aluminum oxide. Further down, as the heat reaches the 800 °C range, calcium oxide reacts with silicate to form the calcium silicate mineral known as belite:

Finally, near the bottom of the kiln, belite and calcium oxide react to form another calcium silicate, alite:

It’s worth noting that cement chemists have a specialized nomenclature for alite, belite, and all the other intermediary phases of Portland cement production. It’s a shorthand that looks similar to standard chemical nomenclature, and while we’re sure it makes things easier for them, it’s somewhat infuriating to outsiders. We’ll stick to standard notation here to make things simpler. It’s also important to note that the aluminates that decomposed from the clay are still present in the rawmix. Even though they’re not shown in these reactions, they’re still critical to the proper curing of the cement.
Portland cement clinker. Each ball is just a couple of centimeters in diameter. Source: مرتضا, Public domain
The final section of the kiln is the hottest, at 1,500 °C. The extreme heat causes the material to sinter, a physical change that partially melts the particles and adheres them together into small, gray lumps called clinker. When the clinker pellets drop from the bottom of the kiln, they are still incandescently hot. Blasts of air that rapidly bring the clinker down to around 100 °C. The exhaust from the clinker cooler joins the kiln exhaust and helps preheat the incoming rawmix charge, while the cooled clinker is mixed with a small amount of gypsum and ground in a ball mill. The fine gray powder is either bagged or piped into bulk containers for shipment by road, rail, or bulk cargo ship.

The Cure

Most cement is shipped to concrete plants, which tend to be much more widely distributed than cement plants due to the perishable nature of the product they produce. True, both plants rely on nearby deposits of easily accessible rock, but where cement requires limestone, the gravel and sand that go into concrete can come from a wide variety of rock types.

Concrete plants quarry massive amounts of rock, crush it to specifications, and stockpile the material until needed. Orders for concrete are fulfilled by mixing gravel and sand in the proper proportions in a mixer housed in a batch house, which is elevated above the ground to allow space for mixer trucks to drive underneath. The batch house operators mix aggregate, sand, and any other admixtures the customer might require, such as plasticizers, retarders, accelerants, or reinforcers like chopped fiberglass, before adding the prescribed amount of cement from storage silos. Water may or may not be added to the mix at this point. If the distance from the concrete plant to the job site is far enough, it may make sense to load the dry mix into the mixer truck and add the water later. But once the water goes into the mix, the clock starts ticking, because the cement begins to cure.

youtube.com/embed/mJyUUnjih1k?…

Cement curing is a complex process involving the calcium silicates (alite and belite) in the cement, as well as the aluminate phases. Overall, the calcium silicates are hydrated by the water into a gel-like substance of calcium oxide and silicate. For alite, the reaction is:

Scanning electron micrograph of cured Portland cement, showing needle-like ettringite and plate-like calcium oxide. Source: US Department of Transportation, Public domain
At the same time, the aluminate phases in the cement are being hydrated and interacting with the gypsum, which prevents early setting by forming a mineral known as ettringite. Without the needle-like ettringite crystals, aluminate ions would adsorb onto alite and block it from hydrating, which would quickly reduce the plasticity of the mix. Ideally, the ettringite crystals interlock with the calcium silicate gel, which binds to the surface of the sand and gravel and locks it into a solid.

Depending on which adjuvants were added to the mix, most concretes begin to lose workability within a few hours of rehydration. Initial curing is generally complete within about 24 hours, but the curing process continues long after the material has solidified. Concrete in this state is referred to as “green,” and continues to gain strength over a period of weeks or even months.

hackaday.com/2025/05/07/big-ch…

È tornato quel periodo dell'anno in cui tocca affrontare la #dichiarazioneprecompilata2025
Ne approfitto volentieri per riproporre questo articolo, che mi è già tornato utile l'anno scorso
cavallette.noblogs.org/2024/05…

#5x1000 #5xmille

Mi sono appena comprato due chiavette USB, in metallo, bellissime, ho speso 25 euro, sono felicissimo. Due chiavette che rappresentano il completamento di un progetto di archiviazione dei miei documenti a cui ho lavorato per ore la settimana scorsa.

So che non state nella pelle, volete sapere tutto, ve lo leggo negli occhi, e quindi ve lo spiego.

Allora... tutto è nato da questa cosa che mi ha preso di volermi liberare dalla dipendenza dalle Big Tech.

Prima archiviavo molta roba su Google Drive poi ho deciso che potevo farne a meno per tutte le cose importanti e continuare a usarlo solo per le sciocchezzine.

Prima cosa, ho classificato i miei documenti in due categorie: da una parte i documenti che voglio avere sempre a portata di mano (sono pochi) e dall'altra tutti gli altri (e sono tanti), cioè quelli che voglio conservare ma che non mi importa di avere sempre a portata di mano.

Per i primi ho installato Nextcloud sul mio sito, così mi sono fatto una specie di Google Drive a cui posso accedere ovunque io sia ma dove è tutto sotto il mio controllo e tutto open source. Questa soluzione non potevo usarla per tutti i documenti perché avrei dovuto fare un contratto di livello superiore per aumentare lo spazio disco a disposizione del mio sito ma è adattissima per i documenti che voglio avere sempre a portata di mano, che come dicevo sono pochi.

Per i secondi ho deciso di usare una chiavetta USB come archivio e un'altra come suo backup. Una me la porto sempre dietro, così posso aggiungere documenti quando capita, indifferentemente dal fatto che sia in ufficio o a casa, e l'altra la tengo a casa al sicuro da perdite accidentali. Su questa chiavetta ci sta un quantità di documenti che è milioni di volte superiore a quelli che ho al momento, quindi direi che per un po' sono a posto.

Per proteggermi dal rischio che una chiavetta finisse in mani sconosciute (metti che la perdo...) ho deciso di cifrarle entrambe con BitLocker: è un prodotto per Windows ma ho visto che viene gestito perfettamente anche dal mio PC di casa, che ha Linux (Ubuntu Studio).

E adesso Larry Page e Sergey Brin (che mi risultano essere tutt'ora azionisti di maggioranza di Google) possono annunciare il loro supporto a qualunque aspirante dittatore del mondo e 30 secondi dopo io posso staccare la spina.

😁 😁 😁

Con il documento ProtectEU (disponibile in italiano qui eur-lex.europa.eu/legal-conten… ) la Commissione Europea affronta la strategia dell'Unione Europea per contrastare le minacce alla sicurezza interna ed esterna, promuovendo un approccio integrato e multilaterale che coinvolga tutti i settori della società.
Mira a garantire il rispetto dello Stato di diritto e dei diritti fondamentali, mentre si sviluppano misure per migliorare la sicurezza, combattere la criminalità organizzata e il terrorismo, e rafforzare la cooperazione tra Stati membri. Infine, il documento intende promuovere una nuova cultura della sicurezza nell'UE, integrando considerazioni di sicurezza in tutte le politiche e legislazioni.
Le principali minacce alla sicurezza interna ed esterna dell'UE includono la criminalità organizzata, il terrorismo, le campagne ibride condotte da attori statali come la Russia, e le ingerenze elettorali. Inoltre, ci sono minacce legate al sabotaggio delle infrastrutture critiche, attacchi informatici, disinformazione e l'uso della migrazione come arma. La guerra di aggressione russa contro l'Ucraina e i conflitti in altre regioni del mondo hanno ulteriormente aggravato la situazione di sicurezza.

L'UE intende affrontare le minacce ibride e la guerra aperta rafforzando la resilienza delle infrastrutture critiche, migliorando la cibersicurezza e garantendo la sicurezza dei nodi di trasporto e dei porti.
Sarà promossa la cooperazione con partner internazionali e l'implementazione di strumenti esistenti per prepararsi e rispondere a tali minacce. Inoltre, l'UE si concentrerà su un approccio unitario alla sicurezza interna, integrando le politiche di sicurezza esterna e interna.
La Commissione intende adottare misure come l'elaborazione di analisi periodiche delle minacce per orientare le politiche di sicurezza interna e migliorare la condivisione di intelligence tra Stati membri e agenzie dell'UE.
L'Unione Europea intende affrontare il traffico illecito e la criminalità organizzata attraverso l'adozione di norme più rigorose e un quadro giuridico rinnovato per potenziare la risposta della giustizia penale. Sarà promossa una strategia dell'UE in materia di droghe e una nuova strategia per la lotta alla tratta di esseri umani, con un focus sulla prevenzione e sul supporto alle vittime. Inoltre, si prevede di migliorare la cooperazione tra Stati membri e agenzie come Europol ed Eurojust, e di monitorare i profitti della criminalità organizzata per bloccare l'accesso alle fonti di finanziamento.

Sarà potenziato il mandato di Europol per trasformarlo in una forza di polizia operativa e verranno sviluppati nuovi strumenti per il contrasto alla criminalità e al terrorismo. Inoltre, si prevede di rafforzare la cooperazione con paesi partner e migliorare la sicurezza delle frontiere esterne.
Gli obiettivi della nuova agenda globale antiterrorismo dell'Unione includono la prevenzione della radicalizzazione sia offline che online, la protezione dei cittadini e degli spazi pubblici dagli attacchi, e la risposta efficace agli attacchi quando si verificano. Inoltre, si mira a bloccare i canali di finanziamento del terrorismo e a sviluppare strumenti per anticipare le minacce.
Infine, è previsto un programma di cooperazione con i Balcani occidentali per affrontare insieme il terrorismo e l'estremismo violento.
L'UE prevede di utilizzare un nuovo sistema per monitorare i profitti della criminalità organizzata e il finanziamento del terrorismo, oltre a norme più rigorose per contrastare le reti criminali. Sarà rafforzata la cooperazione operativa tra Stati membri, Europol, Eurojust e altre agenzie, e verranno implementate nuove norme antiriciclaggio. Inoltre, si intende migliorare l'accesso legale ai dati cifrati per le autorità di contrasto, mantenendo la cibersicurezza e i diritti fondamentali.

#protectEU #Commissioneeuropea #europol #UE

@Attualità

L’11 aprile i ministeri dell’Interno e della Salute hanno inviato una circolare alle prefetture e alle forze dell’ordine per chiarire come vanno applicate le regole del nuovo codice della strada approvato lo scorso novembre dal parlamento: la circolare è all’apparenza tecnica, ma in realtà sconfessa l’impostazione del ministero dei Trasporti e del ministro Matteo Salvini, che aveva introdotto sanzioni per chi fa uso di sostanze stupefacenti a prescindere dagli effetti sulla capacità di guidare.

Purtroppo però...

Gli esiti dei procedimenti dipenderanno da come i giudici interpreteranno la legge, che non è cambiata e ha un valore superiore alle circolari

In pratica: Salvini scrive fesserie, i suoi alleati cercano di metterci una pezza ma le leggi valgono più delle pezze, anche quando le leggi le fa Salvini.

ilpost.it/2025/05/07/circolare…

Il progetto SAFE, sostenuto da UNODC (United Nations Office on Drugs and Crime), FAO ((Food and Agriculture Organization) Istituzione tecnica specializzata delle Nazioni Unite) e UE (Unione Europea), mira a mitigare il rischio di pandemie future attraverso la gestione delle strutture di fauna selvatica.
L'obiettivo principale del progetto SAFE è mitigare la probabilità di future pandemie, concentrandosi sul miglioramento delle normative e delle condizioni delle strutture di fauna selvatica in cattività. Il progetto mira a ridurre i rischi associati a queste strutture per informare e sviluppare pratiche e politiche migliori, oltre a promuovere la cooperazione regionale per una migliore prevenzione delle pandemie.
Illusra il progetto una recente pubblicazione: "PREVENTING THE NEXT PANDEMIC: STRENGTHENING BIOSAFETY AND BIOSECURITY IN ASEAN CAPTIVE WILDLIFE FACILITIES", curata da UNODC, FAO e UE, che è reperibile [en] a questo link unodc.org/res/environment-clim… e che si focalizza sugli interventi possibili in ambito territoriale asiatico.

La pandemia di COVID-19 ha evidenziato la vulnerabilità globale alle malattie zoonotiche. Le attività umane, come il commercio di fauna selvatica, aumentano il rischio di spillover di patogeni.

Alcuni esempi di specie di fauna selvatica in cattività nel sud-est asiatico includono macachi, civette e ratti di bambù. Queste specie sono spesso tenute in condizioni che possono aumentare il rischio di trasmissione di patogeni zoonotici. I rischi associati alle strutture di fauna selvatica in cattività includono la possibilità di spillover di patogeni zoonotici, condizioni igieniche inadeguate che favoriscono la trasmissione e la mutazione dei patogeni, e la presenza di un gran numero di animali in spazi ristretti. Questi fattori possono compromettere la salute pubblica e aumentare il rischio di epidemie o pandemie.

Due iniziative globali che possono essere adottate per affrontare i rischi delle operazioni commerciali di fauna selvatica sono il Progressive Management Pathway for Terrestrial Animal Biosecurity (FAO-PMP-TAB) e il Sustainable Wildlife Management (SWM) Programme. Il primo mira a rafforzare la biosecurity lungo le catene di valore degli animali, mentre il secondo si concentra sulla conservazione della fauna selvatica e sulla sicurezza alimentare, migliorando le pratiche di gestione e riducendo la domanda di carne di selvaggina.

È necessaria una cooperazione internazionale per affrontare le sfide legate alle malattie zoonotiche, poiché queste non sono solo questioni locali o nazionali, ma richiedono un approccio globale. Le riforme normative devono includere l'allineamento delle politiche nazionali e sub-nazionali con l'approccio One Health, migliorando la biosicurezza e le misure sanitarie nelle strutture di fauna selvatica. Inoltre, è fondamentale rafforzare la condivisione dei dati in tempo reale e la collaborazione tra agenzie e istituzioni pertinenti.

In ambito di cooperazione internazionale, le attività giudiziarie e di polizia possono includere l'implementazione di operazioni congiunte per combattere il traffico di fauna selvatica, la condivisione di informazioni e intelligence tra le forze dell'ordine di diversi paesi, e l'armonizzazione delle leggi e delle normative relative alla protezione della fauna selvatica. Inoltre, possono essere organizzati corsi di formazione e workshop per migliorare le capacità investigative e di enforcement delle autorità locali. Queste misure aiutano a garantire una risposta coordinata e efficace contro i crimini ambientali e le malattie zoonotiche.

#SAFE #UNODC #FAO #UE #COMMERCIODIFAUNASELVATICA
@Ambiente