Back in April, District Court Judge Yvonne Gonzalez Rogers delivered a scathing judgment finding that Apple was in “willful violation” of her 2021 injunction intended to open up iOS App Store payments. That contempt of court finding has now been almost entirely upheld by the Ninth Circuit Court of Appeals, a development that Epic Games’ Tim Sweeney tells Ars he hopes will “do a lot of good for developers and start to really change the App Store situation worldwide, I think.”

The ruling, signed by a panel of three appellate court judges, affirmed that Apple’s initial attempts to charge a 27 percent fee to iOS developers using outside payment options “had a prohibitive effect, in violation of the injunction.” Similarly, Apple’s restrictions on how those outside links had to be designed were overly broad; the appeals court suggests that Apple can only ensure that internal and external payment options are presented in a similar fashion.

The appeals court also agreed that Apple acted in “bad faith” by refusing to comply with the injunction, rejecting viable, compliant alternatives in internal discussions. And the appeals court was also not convinced by Apple’s process-focused arguments, saying the district court properly evaluated materials Apple argued were protected by attorney-client privilege.

Read full article

Comments

© Getty Images

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

In a major cross-border operation targeting the financial backbone of digital piracy, Europol has successfully tracked down cryptocurrency valued at approximately $55 million (over €47 million) linked to a network of illicit streaming and intellectual property (IP) infringement services.

The revelation comes from Europol's "Intellectual Property Crime Cyber-Patrol Week," an intensive five-day operation held between November 10 and 14 in collaboration with the European Union Intellectual Property Office (EUIPO) and the Spanish National Police (Policía Nacional).

The Crypto Counter-Strategy

The operation’s core focus was confronting the growing trend of digital criminals abandoning traditional banking methods in favor of cryptocurrency payments. Illicit service operators incorrectly believe crypto offers a shield of anonymity, but investigators successfully turned this method against them.

The key innovation in the cyber-patrol was a sophisticated counter-strategy: investigators made cryptocurrency purchases of the illegal services themselves. This step allowed them to lift the veil on the illicit actors, identify the associated crypto accounts, and trace the flow of funds.

"This approach allows to hit ‘pirates’ ... where it hurts them the most: their money," Europol stated. By identifying, tracing, and successfully shutting down these crypto accounts, authorities aim for a direct hit on the criminal revenue stream—a method deemed vital for protecting global economies and creators.

Also read: Europol and Law Enforcement Crack Down on Multimillion-Euro Phishing Gang

Massive Scope of the Crackdown on Digital Piracy

The coordinated effort, involving 30 investigators in Alicante, Spain, utilized advanced Open-Source Intelligence Techniques (OSINT) and cutting-edge online investigative tools.

The resulting disruption has been substantial:

• 69 sites were identified and targeted.

• 25 illicit IPTV services were immediately referred to partnering crypto service providers and major exchanges for disruption.

• The 69 targeted sites alone are estimated to draw a combined traffic of over 11.8 million annual visitors, highlighting the sheer scale of the digital black market being addressed.

While the operation resulted in immediate action, investigations on 44 additional sites remain ongoing by both public and private entities, signaling a sustained campaign against these revenue-generating piracy models.

Also read: Europol Issues Public Alert: ‘We Will Never Call You’ as Phone and App Scams Surge

Paying attackers a ransom to recover from ransomware attacks fails 41% of the time, and even when recovery keys work, ransomware victims don’t always recover all of their data. That’s one of the findings from cyber insurer Hiscox’s Cyber Readiness Report 2025, which is based on interviews with 5,750 organizations in seven countries. The report found that 27% of those organizations had experienced a ransomware attack in the preceding 12 months. Among the organizations that paid a ransom, 60% recovered “some or all of their data,” the report said, but 41% “were given a recovery key, but still had to rebuild their systems.” It gets worse. For 31% of ransomware victims who paid a ransom, attackers demanded more money, the report found. And additional attacks were sustained by 27% of those who paid a ransom, “though not necessarily an attack from the same entity.” “No company enjoys rewarding bad players for hijacking their data, but when it comes to ransomware attacks, it is common for organisations to make every effort to recover what could be lost,” Hiscox said. “That includes paying the ransom where that is demanded.” “Paying a ransom does not always solve the problem,” the report noted.

IoT Devices Most Common Attack Vector

Vulnerabilities are a key initial attack vector noted by the report. Internet of Things (IoT) devices owned by the organizations were the most common point of entry for cyberattacks (33%), followed by supply chain vulnerabilities (28%), and cloud-based corporate servers (27%). AI tools and software were attackers’ initial point of entry for 15% of organizations. Ransomware victims aren’t the only ones at risk of multiple cyberattacks, as the report found that one cyberattack significantly raise the risk for multiple cyberattacks. Of the organizations surveyed, 59% had experienced at least one cyberattack in the preceding 12 months. Among those organizations, larger companies or those with higher revenue were more likely to experience additional incidents. Companies with more than $1 million in revenue that had experienced an attack in the last year had more averaged six cyberattacks, compared to four for those businesses with less than $1 million in revenue. Businesses with 50-249 employees had an average of seven attacks in the last year compared to companies with 11-49 employees, which averaged five attacks. Nonprofits were the hardest hit sector, averaging eight incidents, while organizations in the chemical, property, and media sectors averaged three cyberattacks.

Most Favor Ransomware Payment Disclosure

The report noted that a new law in Australia requires companies to disclose the amount of ransoms paid, and 71% of respondents agree that such disclosures should be mandatory. However, 53% believe that private companies should not be obligated to disclose ransomware payments. While the report paints a challenging picture for cybersecurity defenders, there was one bright spot: 83% of respondents reported improved cyber resilience at their company in the last 12 months.

Fewer organizations are paying the ransom when confronted with a ransomware attack – but those that do make ransomware payments are paying much more. That’s one of the takeaways from ExtraHop’s new 2025 Global Threat Landscape Report, which also looked at the riskiest attack surfaces, dwell times, initial attack vectors, and more. The report, which the NDR vendor conducted with Censuswide, is based on a July 2025 survey of 1,800 security and IT decision-makers in midsize and large organizations in seven countries.

Average Ransom Payment Tops $3.6 Million

The survey found that while organizations are experiencing fewer ransomware incidents – and fewer are paying ransoms – those organizations that do pay are paying $1.1 million more than they did last year, up from $2.5 million to more than $3.6 million, an increase of more than 40%. While 70% of respondents said their organization paid a ransom, there was an overall decline in the number of ransomware payments for the first time, and the number of organizations that say that they didn’t pay a ransom tripled from 9% last year to 30% this year. Also on the plus side, the organizations overall reported fewer ransomware incidents, with their organizations experiencing between five and six ransomware incidents each within the previous 12 months, down roughly 25% from nearly eight incidents in 2024. However, the percentage of organizations hit with 20 or more ransomware incidents tripled, rising to 3% year-over-year. Healthcare and government organizations were among those facing a greater number of attacks. Cyble’s ransomware data, which is based on ransomware group claims on their dark web data leak sites, show that ransomware attacks are up 50% so far this year from the same period of 2024. The average ransom amount varied by country, with UAE organizations, for example, facing an average of seven ransomware incidents, with paid ransoms averaging $5.4 million. Australia organizations, on the other hand, experienced the fewest ransomware incidents in the report, averaging just four per year, and ransomware payments averaged $2.5 million. The healthcare sector had the highest payouts at $7.5 million, followed by the government sector (just under $7.5 million) and the finance sector ($3.8 million). Respondents also struggled with ransomware detection, as more than 30% of respondents didn’t detect that they were being targeted by ransomware until data exfiltration had begun.

Riskiest Attack Surfaces and Entry Points

The report found that the public cloud, third-party risks, and GenAI were the riskiest attack surfaces (chart below). [caption id="attachment_106198" align="aligncenter" width="808"] Riskiest attack surfaces (ExtraHop)[/caption] “As organizations rapidly adopt emerging technologies, navigate complex device interdependencies, and manage sprawling supply chains, their IT infrastructures become inherently more complex,” the report said. “This escalating complexity inevitably leads to a larger attack surface.” Phishing and social engineering were the most common initial point of entry for attackers at 33.7%, followed by software vulnerabilities (19.4%), third-party/supply chain compromise (13.4%), and compromised credentials (12.2%) (chart below). [caption id="attachment_106199" align="aligncenter" width="827"] Initial attack vectors (ExtraHop)[/caption]