Connect with us

Infosecurity

Britain plans autonomous AI ‘Cyber Shield’ to defend against machine-speed attacks

Published

on

Cyber Shield AI defense

A new kind of digital shield

Britain’s cyber watchdog wants to build a fully autonomous, AI-driven defense system called Cyber Shield to protect government networks and critical infrastructure from attacks that move faster than any human can react. The plan, announced Tuesday by the National Cyber Security Centre (NCSC), envisions a network of paired AI agents — some attacking, some defending — operating at machine speed across the country’s most sensitive digital assets.

“This is about building a national scale, sovereign defense capability,” the NCSC said in a blog post. The agency warned that adversaries already use AI to compress reconnaissance and vulnerability discovery from weeks into minutes. “This has the potential to overwhelm traditional defenses and increase the risk of advantage shifting towards the attacker.”

The timing is urgent. GCHQ, the U.K.’s signals intelligence agency, recently warned that both offensive and defensive cyber capabilities could be fundamentally transformed within months — not years. GCHQ director Anne Keast-Butler flagged the Cyber Shield concept in her annual lecture earlier this year, saying the agency would “hardwire” agentic AI into machine-speed cyber defense.

Why machine speed matters

Traditional cybersecurity relies on human analysts spotting threats, investigating them, and patching vulnerabilities. That workflow takes days or weeks. Attackers using AI can now find and exploit a weak point in minutes. The gap is widening fast.

The NCSC has separately warned of an AI-driven “patch wave” — a surge of newly discovered vulnerabilities emerging faster than most organizations can fix them. In that environment, waiting for a human to decide whether to block an IP address or patch a server is a losing strategy.

“Developing viable solutions that scale and execute at the pace we need in the modern era is the remit of the Cyber Shield,” the agency stated.

How Cyber Shield would work: red vs. blue AI agents

At the core of the plan is a paired model of “red” and “blue” AI agents. Red agents continuously probe networks for weaknesses — the same way a human penetration tester would, but far faster and at greater scale. Blue agents defend in real time, blocking attacks and patching vulnerabilities automatically.

These agents would operate across critical national infrastructure — energy grids, water systems, transport networks, hospitals — but under the control of the organizations that own them. The NCSC emphasized that the system is designed to be sovereign, meaning the U.K. retains full control over its operation and data.

The agency identified six core functions Cyber Shield must deliver:

  • Automated scanning of British networks (already exists in some form)
  • Continuous vulnerability discovery
  • Real-time threat prioritization
  • Autonomous blocking of attacks
  • Fully automated patching of vulnerabilities (does not yet exist)
  • Feedback loops that improve the system over time

Some of these functions, the NCSC acknowledged, “present challenges which will need significant progress in research to unlock.” Fully autonomous patching, in particular, remains a hard problem — you don’t want an AI accidentally breaking a hospital’s patient record system while trying to fix a bug.

Who builds it? Not the government alone

The NCSC made clear it cannot build Cyber Shield by itself. The agency issued an open invitation to academia, critical infrastructure operators, frontier AI labs, and the cyber defense sector to help develop the blueprint. “In association or partnership with leading frontier AI capabilities, cyber defense organizations and academia” is how the agency described the intended delivery model.

Initial testing would begin with network defenders across government and critical U.K. sectors. After that, the agency would attempt to transition to commercially scalable solutions — but attached no timeline to the program. The rollout strategy is described as “test, iterate, scale.”

Interested parties are invited to get in touch with the NCSC directly.

The bigger picture: a race against AI-powered attackers

The Cyber Shield announcement lands in a moment of heightened concern about AI-enabled cyberattacks. The NCSC has been warning for months that the defender’s window is closing. If an attacker can find and exploit a vulnerability in minutes, and a defender takes days to patch it, the math is brutal.

Keast-Butler’s earlier speech made the stakes explicit: the U.K. has a narrowing window to stay ahead of its adversaries. Cyber Shield is the government’s bet that autonomous AI defense can close that gap — or at least keep the race competitive.

Whether the technology can deliver remains an open question. Fully autonomous patching, in particular, is not yet a solved problem. But the NCSC’s approach — test small, iterate fast, scale what works — suggests a pragmatic recognition that perfection is the enemy of progress.

For now, the Cyber Shield exists as a blueprint and an invitation. The real work begins when the first AI agents start probing government networks, looking for weaknesses before the bad guys find them.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

New GodDamn Ransomware Uses Microsoft-Signed Driver to Wipe Out Defenses Before Striking

Published

on

GodDamn ransomware

A Ransomware Strain That Kills Protections First

Most ransomware hits you with encryption and a ransom note. But a new variant called GodDamn does something far more insidious: it disables your security software before it even starts encrypting files. Researchers at Symantec say the attackers are using a malicious kernel driver — one that still carries a valid Microsoft Windows Hardware Compatibility Publisher signature — to terminate endpoint defenses from the inside.

GodDamn first surfaced in May 2026. According to Symantec’s analysis, it’s the latest chapter in a ransomware family that has been plaguing organizations since 2022. The lineage goes like this: Monster ransomware (2022) → Beast ransomware → GodDamn. All three belong to a group the researchers call Hyadina.

This isn’t just an incremental update. It’s a deliberate escalation.

How the Attack Unfolds

The attack chain starts with a remote desktop tool. Symantec’s July 9 blog post reveals that the attackers planted AnyDesk on the target machine, hiding it inside a folder named ‘Music’. From there, the tool made outbound connections to unknown IP addresses.

How did the attackers get in? The researchers aren’t sure yet. But account compromise — stolen credentials, brute force, phishing — is the usual entry point for ransomware operations.

Once inside, the attackers drop an executable disguised as a Symantec product. That executable installs PoisonX, a kernel-mode driver that terminates security processes. The driver is signed with a legitimate Microsoft Windows Hardware Compatibility Publisher signature. How the attackers obtained that signature is unclear. Symantec notes two common paths: using stolen corporate identities to sign the driver, or secretly exploiting legitimate third-party drivers.

Either way, the result is the same: the machine’s defenses go dark.

Credential Theft and Lateral Movement

With security software knocked out, the attackers deploy tools like NirSoft and Mimikatz. These are standard-issue utilities for stealing credentials, cookies, and live network traffic. The goal is to find administrator accounts and gain control over the broader network.

This phase is critical. Ransomware that only hits one machine is a nuisance. Ransomware that compromises domain controllers and encrypts entire networks is a crisis.

Finally, the Encryption

Once the attackers have enough control — over accounts, systems, and the network — they trigger GodDamn. Files are encrypted. A ransom note appears. By that point, the victim has no security software running to stop it, and the attacker already holds the keys to the kingdom.

Why This Matters: The Evolution of Defensive Evasion

What makes GodDamn notable isn’t the encryption. It’s the method. Using a signed malicious driver to kill security products is a relatively new tactic, and it’s effective.

“GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group,” the Symantec and Carbon Black threat hunter team said in their analysis. “Indicating that Hyadina is continuing to actively develop its ransomware and its capabilities.”

In other words, the Hyadina group isn’t resting. They’re iterating. And each iteration makes their attacks harder to stop.

For defenders, the lesson is clear: relying solely on endpoint detection isn’t enough anymore. Attackers are finding ways to turn those tools off. Organizations need layered defenses — network segmentation, strict application control, and monitoring for unusual driver installations — to catch this kind of attack before the ransomware fires.

Because once GodDamn runs, your security software is already dead.

Continue Reading

Infosecurity

Hacker Extradited from Ukraine Pleads Guilty in Ryuk Ransomware Case

Published

on

Ryuk ransomware extradited

Ryuk Conspirator Faces Years in Prison After Plea Deal

An Armenian man who was extradited from Ukraine has admitted his role in the Ryuk ransomware operation, one of the most damaging cybercrime campaigns of its era. Karen Serobovich Vardanyan, 34, pleaded guilty to conspiracy and computer fraud charges in a federal court in Portland, Oregon, on July 8.

The Justice Department says Vardanyan illegally broke into the networks of multiple US organizations between November 2019 and April 2020 to install Ryuk. Among the victims: a Michigan company that paid 200 bitcoin — worth over $1.1 million at the time — just to get its files back.

He also targeted a firm in Wilsonville, Oregon, and a school in Texas. The attacks weren’t random. They were surgical, hitting entities that could least afford downtime.

The Numbers Behind the Ryuk Takedown

Court documents paint a grim picture. Vardanyan and his co-conspirators hacked hundreds of servers and workstations. They collected roughly 1,610 bitcoin in ransom payments — valued at more than $15 million when the money changed hands.

As part of the plea agreement, Vardanyan has agreed to pay over $1.1 million in restitution. But that check won’t keep him out of prison. He faces a maximum of five years (plus a $250,000 fine) for conspiracy, and up to 10 years (plus another $250,000) for computer fraud. The sentencing judge will decide the final stretch.

Ryuk’s Reign: A Quick Look Back

Ryuk was a heavyweight in the ransomware world from 2018 to 2020. Its victims included US defense contractors, hospitals, and IT service providers. French giant Sopra Steria lost around $60 million in one of the costliest ransomware incidents of its time.

The group disbanded in 2020. Many of its members are believed to have joined the Conti gang — which quickly became a major threat itself. But Conti imploded two years later after a massive leak of internal chats and data.

Why Extradition Matters in Cybercrime

Perpetrators of ransomware often operate from former Soviet states, where authorities tend to look the other way as long as domestic companies aren’t hit. That’s made Ryuk ransomware extradited cases rare — and significant.

But US investigators are getting better at pulling suspects out of those jurisdictions. In March, an initial access broker involved in dozens of attacks that cost victims over $9 million was sentenced to 81 months in a US prison.

Vardanyan’s case shows the long arm of American law enforcement is reaching further east than ever. Whether that deters the next wave of ransomware crews remains an open question.

Continue Reading

Infosecurity

GigaWiper: Microsoft Warns New Malware Blends Espionage with a Wipe Function

Published

on

GigaWiper Malware: A New Breed of Cyber Weapon

Microsoft has sounded the alarm on a new multi-purpose backdoor that marks a worrying evolution in cyber-attack toolkits. Dubbed GigaWiper malware, this implant does not just steal data or lock files — it does both, and then wipes the system clean.

Discovered by Microsoft Threat Intelligence in October 2025, GigaWiper is written in Go (Golang). It gives attackers a single, unified platform to conduct quiet espionage, execute commands, deploy extra tools, and then trigger one of several destructive actions on demand.

This is not your average wiper. It is a modular backdoor that consolidates capabilities from at least three separate malware families: the Crucio ransomware strain, the FlockWiper wiper, and another unrecovered component. The result is a flexible, dangerous weapon.

How GigaWiper Works: Two Flavors, Three Ways to Destroy

Microsoft’s analysis, published on July 9, identified two types of GigaWiper samples in the wild.

Standalone Wiper vs. Full Backdoor

The first type is a standalone wiper binary — lean, mean, and purely destructive. The second type is a larger binary packed with full backdoor functionality. That second version is the real worry.

It gives attackers three distinct destructive modes to choose from:

  • Disk-level wiping: Overwrites raw disk content and removes partition metadata. The target drive is left structurally dead.
  • Fake ransomware (Crucio-derived): Encrypts files using randomly generated keys that are never saved. Decryption is mathematically impossible. This is extortion theater — the attacker never intends to unlock anything.
  • FlockWiper reimplementation: A Golang version of the original C-based FlockWiper, enhanced with multi-pass secure wiping. It scrubs data so thoroughly that recovery tools are useless.

Having all these options inside a single backdoor is what makes GigaWiper malware stand out. Attackers no longer need to deploy separate tools for espionage and destruction. One implant does it all.

Why This Shift Matters

Traditional wiper malware has one job: destroy data and cause chaos. Think of the NotPetya attacks of 2017, which were pure destruction with no real extortion. GigaWiper changes that equation.

Microsoft researchers noted that this consolidation reflects “a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort.” The fake ransomware component adds a layer of confusion. Victims may think they can pay and recover. They cannot.

The backdoor also reduces the attacker’s deployment footprint. One implant means fewer dropped binaries, less network chatter, and a smaller chance of being caught before the payload fires. For defenders, that is a nightmare scenario.

Microsoft assessed that GigaWiper was built by combining and reimplementing components from Crucio, FlockWiper, and an as-yet-unrecovered framework. This suggests the authors had deep code-level knowledge of those older families.

How to Defend Against GigaWiper

Microsoft published a set of mitigation recommendations for organizations worried about GigaWiper malware. They fall into two buckets: general security hygiene and Microsoft-specific settings.

General Mitigations

  • Enable tenant-wide tamper protection. This prevents attackers from stopping security services or adding antivirus exclusions.
  • Block direct access to known C2 infrastructure. Use threat intelligence feeds to keep command-and-control servers off your network.
  • Turn on cloud-delivered protection. This helps your antivirus keep up with rapidly evolving tools and techniques.

Microsoft-Specific Recommendations

  • Run EDR in block mode. Microsoft Defender for Endpoint can block malicious artifacts even when your non-Microsoft antivirus misses them or when Defender Antivirus is in passive mode.
  • Enable full automated investigation and remediation. This allows Defender for Endpoint to take immediate action on alerts, reducing breach impact significantly.
  • Apply attack surface reduction rules. Specifically, enable the rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion.

These steps are not theoretical. They are the same defenses that help stop ransomware attacks and other advanced threats. Wipers like GigaWiper move fast — your defenses need to be automated and always-on.

The Bigger Picture: Wiper Malware Is Evolving

GigaWiper is not just another malware sample. It is a sign that threat actors are investing in operational efficiency. They are merging standalone tools into unified platforms. That reduces their risk and increases yours.

For defenders, the takeaway is clear: you cannot treat espionage threats and destructive threats as separate problems anymore. The same implant that steals your credentials today can wipe your servers tomorrow.

Microsoft did not disclose who was targeted or how the initial compromise occurred. But the company did share detection signatures through its security products. If you are running Microsoft Defender for Endpoint with cloud-delivered protection and EDR in block mode, you are already better positioned to spot GigaWiper before it triggers its payload.

The clock is ticking. Wipers do not negotiate. They just delete.

Continue Reading

Trending