CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

MS-ISAC funding cuts threaten US state and local cybersecurity

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

The Multi-State Information Sharing and Analysis Center (MS-ISAC) faces funding cuts that will expire on September 30, 2025, potentially leaving state and local governments vulnerable to cyberattacks. Recent ransomware attacks on Nevada, St. Paul, the Lower Sioux Indian Community, and Pennsylvania underscore the growing threat to local governments. MS-ISAC, which detected over 40,000 potential cyberattacks in 2024, will have to start charging for its services without federal funding. This includes cyber threat analysis and threat intelligence distribution to critical infrastructure such as schools, hospitals, and utilities. The Center for Internet Security (CIS), which operates MS-ISAC, has been temporarily funding the center at a cost of over $1 million per month. Without reinstated funding, the MS-ISAC's services will be at risk, leaving many state and local governments unable to maintain the security of their public services.

Timeline

  1. 05.09.2025 16:00 1 articles · 24d ago

    Recent ransomware attacks target state and local governments

    Recent ransomware attacks on state and local governments highlight the increasing threat to smaller entities. The state of Nevada suffered a ransomware attack on August 24, 2025, leading to service outages and data theft. The City of St. Paul, Minnesota, declared a state of emergency in July 2025 due to a major ransomware attack. The Lower Sioux Indian Community in Minnesota experienced a cyberattack in April 2025, disrupting local healthcare and government services. The Attorney General's Office for Pennsylvania was hit by a ransomware attack in August 2025, resulting in communications disruption and data loss. These attacks underscore the need for federal resources and manual operations to maintain resilience against cyber threats.

    Show sources
    Open in new tab
  2. 15.08.2025 00:26 2 articles · 1mo ago

    MS-ISAC funding cuts to expire on September 30, 2025

    The Multi-State Information Sharing and Analysis Center (MS-ISAC) faces funding cuts that will expire on September 30, 2025, potentially leaving state and local governments vulnerable to cyberattacks. Recent ransomware attacks on Nevada, St. Paul, the Lower Sioux Indian Community, and Pennsylvania underscore the growing threat to local governments. MS-ISAC, which detected over 40,000 potential cyberattacks in 2024, will have to start charging for its services without federal funding. This includes cyber threat analysis and threat intelligence distribution to critical infrastructure such as schools, hospitals, and utilities. The Center for Internet Security (CIS), which operates MS-ISAC, has been temporarily funding the center at a cost of over $1 million per month. Without reinstated funding, the MS-ISAC's services will be at risk, leaving many state and local governments unable to maintain the security of their public services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Geolocation-based cyberattacks and their evolving threat landscape

Geolocation data is increasingly used by cybercriminals to conduct targeted attacks, leveraging the precision of location data to enhance the effectiveness of malware and phishing campaigns. These attacks, often referred to as "floating zero days," remain dormant until they reach their intended geographic targets, making detection challenging. The use of geolocation in cyberattacks has evolved significantly since the Stuxnet incident, with modern threats like the Astaroth malware campaign demonstrating sophisticated targeting techniques. The threat landscape is further complicated by the proliferation of IoT devices and edge computing, which expand the attack surface. Advanced persistent threat (APT) groups and other sophisticated actors adapt quickly, using botnets and encrypted channels to evade traditional defenses. Organizations must adopt a multilayered approach to mitigate these risks, including robust endpoint detection, decoy systems, and multi-factor authentication.

Open in new tab

Ransomware Negotiation Tactics Against Sophisticated, Opportunistic, and Impatient Hackers

Ransomware groups are increasingly sophisticated, opportunistic, and impatient. Organizations can leverage these traits to negotiate more effectively during ransomware attacks. Ransomware gangs operate like SaaS vendors, targeting hundreds of organizations with professional processes. They seek sensitive information to tailor their demands but are also under strict deadlines. Organizations can exploit these behaviors to reduce ransom demands or call out bluffs. Effective negotiation strategies include preparing a ransomware playbook, keeping sensitive information secure, and using tactics like the LAP test and delaying responses to make hackers impatient.

Open in new tab

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules.

Open in new tab

Dark Web Cybercriminal Activity and Law Enforcement Tactics

The Dark Web remains a critical platform for cybercriminal activities, including the sale of malware, stolen data, and ransomware operations. Law enforcement agencies and cybersecurity researchers are increasingly collaborating to monitor and disrupt these activities. Recent advancements in AI and network analysis are enhancing the ability to identify and attribute cybercriminal operations. Cybercriminals are adapting their tactics in response to increased scrutiny and sanctions, particularly in how they handle financial transactions and communications. The Dark Web's anonymity features continue to attract both legitimate and illicit activities, making it a focal point for both defenders and attackers. Security vendors are integrating Dark Web monitoring into their threat intelligence capabilities, providing customers with insights into potential threats and compromised data. Organizations are advised to focus on the specific threats they face rather than the marketing term 'Dark Web monitoring.'

Open in new tab

Emergence of AI-Powered Ransomware Strain PromptLock

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Open in new tab