Ransomware operators are getting faster, stealthier, and more aggressive – and the cost of delayed action is growing.
The recent article from CySecurity News highlights a troubling surge in ransomware and data exfiltration attacks across the Asia-Pacific region. Let`s outline how ransomware groups like Akira are systematically targeting vulnerable VPN configurations and unpatched systems. The manufacturing sector, critical infrastructure, and telecommunications are particularly hard hit, revealing how outdated technologies and weak credential management expose organizations to severe risks.
What’s concerning is not just the scale of the intrusions – but the shift in tactics:
Exploiting known VPN vulnerabilities (like CVE-2024-40766) within days of disclosure
Bypassing multi-factor authentication using stolen session tokens
Monetizing breaches through access sales, data theft, and non-encrypting extortion
These attacks aren’t just technical – they’re strategic. They aim to destabilize operations, erode trust, and extract long-term value from compromised environments.
This alarming trend underscores a universal truth – cyber resilience is no longer optional – it is a business imperative. The evolving sophistication of ransomware actors, coupled with the rise of non-encrypting extortion schemes, demands a paradigm shift from reactive patching to proactive, intelligence-driven defence.
What does this mean for Europe?
While the attacks are currently concentrated in APAC, the tactics are global – and the vulnerabilities they exploit exist in EU-based networks and products. That’s why the European Cyber Resilience Act (CRA) is not just timely – it’s necessary.
The CRA sets a clear baseline – if a product is digital, connected, and sold in the EU, it must be secure-by-design and secure-by-default. This means embedding cybersecurity principles from the earliest stages of product conception, rather than adding fixes later. Its goal is to shift the burden away from consumers and reactive IT teams and toward manufacturers and developers – ensuring that digital products are designed with security in mind from day one, and supported throughout their lifecycle.
Specifically, the CRA requires:
Mandatory risk management throughout the product lifecycle
Post-market support and timely software updates
Built-in mechanisms for vulnerability handling and reporting
However, legislation alone isn’t enough. Compliance must be supported by guidance, tools, and practical frameworks -especially for SMEs that lack extensive cybersecurity resources (as well as money, time and knowledge).
The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.
This is precisely where the European Union’s projects like the CRACoWi project(Cyber Resilience Act Compliance Wizard Tool) play a crucial role. CRACoWi is a digital assistant that helps companies (particularly SMEs) understand what CRA means for them, assess their cybersecurity risks, and take concrete compliance actions early in the product design process. It promotes a “secure-by-design” approach, which is essential to prevent vulnerabilities like those exploited in these APAC VPN attacks.
The EU’s Cyber Resilience Act and initiatives like CRACoWi champion embedding cybersecurity into digital products -including VPNs and network devices – to reduce risks before they become incidents. While patch management, credential hygiene, and account lockout policies remain critical, they are reactive measures. The ultimate goal is building security from the ground up, reducing the attack surface, and ensuring robust defense mechanisms are integral to product design – not afterthoughts.
Moreover, the APAC ransomware crisis reflects broader global challenges – supply chains dependent on legacy technology, complex operational networks vulnerable to breach, and the human factor as the primary entry vector exploited via social engineering. These challenges emphasize why the EU’s holistic approach – combining regulation, innovative compliance tools like CRACoWi, and continuous awareness campaigns – is critical to enhancing digital trust and resilience.
As ransomware actors sharpen their tactics with automation, credential theft, and stealthy persistence, Europe’s emphasis on a multilayered defense posture and intelligence-led security frameworks becomes a model for global cybersecurity strategies.
Cybersecurity is an enabler of business continuity and trust, not just compliance.
Funded under the Digital Europe Programme, CRACoWi is not only building the CRA Compliance Wizard but also providing awareness materials, FAQs, and support resources to bridge the gap between regulation and implementation for European businesses.
The APAC ransomware wave and VPN exploit trends serve as a critical reminder – cybersecurity is an enabler of business continuity and trust, not just compliance. By embedding security from design to deployment, European initiatives like CRACoWi are paving the way toward a safer digital future for all.
Because cyber resilience is not just about patching systems after the fact – it’s about building products, businesses, and ecosystems capable of resisting, recovering, and adapting to threats that continue to evolve.
If ransomware actors are moving faster, so must we. Security-by-design is not a feature – it’s a requirement.
The United States is set to launch the US Cyber Trust Mark in 2025, a groundbreaking voluntary initiative aimed at enhancing the cybersecurity of wireless consumer IoT products sold in the U.S. market. This program marks a significant step in creating safer digital ecosystems by promoting transparency, security, and trust in smart devices.
As mentioned in our previous article, a CyberSafe Products Action Plan builds on existing cybersecurity frameworks. In the EU we have the Cyber Resilience Act (CRA) that establishes security requirements for digital products, while in the U.S. there is the Cyber Trust Mark Program. Let`s dive deeper to understand better this trust mark.
What is the US Cyber Trust Mark?
The US Cyber Trust Mark is a cybersecurity labeling program introduced by the Federal Communications Commission (FCC). Its goal is to help consumers identify IoT products that meet recognized cybersecurity standards, empowering them to make informed decisions about the devices they bring into their homes.
The program is designed to enhance the security of wireless consumer IoT products sold in the United States. The program applies to a wide range of devices, including smart home appliances, wearable technologies, and other connected products, ensuring comprehensive coverage of the consumer IoT market.
Participation in the initiative is voluntary, allowing manufacturers to demonstrate their commitment to cybersecurity by meeting established standards. With the program’s expected launch in 2025, businesses have time to align their products with the framework and prepare for compliance, showcasing their dedication to delivering secure and trustworthy technologies.
How Does the U.S. Cyber Trust Mark Work?
The program involves Cybersecurity Label Administrators (CLAs)– organizations authorized to assess IoT products for compliance with security standards. In December 2024, the FCC announced the conditional approval of 11 companies as CLAs, with UL Solutions selected as the Lead Administrator. These administrators will evaluate product applications, authorize the use of the label, and support consumer education.
Participating devices will feature a certification label with a shield logo and a QR code, allowing consumers to scan for detailed security information, including support periods, automatic software updates, and security patch details.
Bureau Veritas (7layers), a partner in the CRACoWi Project, is one of the organizations that can conduct these cybersecurity assessments under the U.S. Cyber Trust Mark framework through authorization as Lab for CSA-PSWG, CTIA IoT-Cyber and ioXt. With its expertise in testing, certification, and regulatory compliance, Bureau Veritas helps businesses navigate the certification process efficiently, ensuring they meet the necessary security requirements.
Global Streamlining
In a joint statement, the European Union (EU) and U.S. have emphasized their commitment to mutual recognition of cybersecurity standards, including the US Cyber Trust Mark and the EU’s Cyber Resilience Act (CRA). This alignment seeks to streamline compliance for global manufacturers, ensuring that IoT products meet shared security expectations across both markets. Read also our article on Transatlantic Cooperation for Cybersecurity and a Safer Future for IoT Products
Except initiatives introduced by national authorities, we can see some good examples of projects, like the CRACoWi Project, that play a vital role in improving cybersecurity awareness and resilience in IoT devices. By highlighting initiatives like the U.S. Cyber Trust Mark, CRACoWi helps manufacturers navigate global cybersecurity requirements and align with emerging standards.
The launch of the U.S. Cyber Trust Mark is a critical step toward securing the digital world. By adopting voluntary cybersecurity certifications, manufacturers can demonstrate their commitment to security and innovation, while consumers gain greater confidence in IoT technologies.
The digitalization of the global economy is driving a massive shift in consumer and business behaviors, creating an interconnected ecosystem of billions of devices and millions of applications. This exponential growth amplifies the importance of robust cybersecurity measures, especially as critical infrastructures like energy, healthcare, and financial services become increasingly reliant on digital technologies.
Recognizing these challenges, the EU has introduced the Cyber Resilience Act (CRA) to establish mandatory cybersecurity requirements for products with digital elements. To support organizations in meeting these stringent standards, the CRACoWi project has developed an innovative solution – the Cyber Resilience Act Compliance Wizard. This white paper explores the critical role of CRACoWi in helping SMEs navigate the complexities of CRA compliance.
A few topics from the document:
The emerging cybersecurity risks for critical infrastructures and IoT ecosystems.How the CRA establishes a secure framework for digital products through lifecycle management and vulnerability reduction.
The role of the CRACoWi Compliance Wizard in automating compliance, documentation, and certification processes for SMEs.
Real-world applications of CRACoWi tools, showcasing their adaptability across industries and product categories.
The strategic importance of collaboration between regulatory bodies, industry leaders, and innovative SMEs to ensure a resilient digital future.
SMEs play a vital role in the EU’s digital economy but often face challenges in meeting complex regulatory requirements. This white paper outlines practical solutions provided by CRACoWi, including automated compliance assessments, AI-powered self-assessment tools, and lifecycle security management methodologies. It highlights how CRACoWi enables SMEs to strengthen product security, reduce compliance burdens, and maintain a competitive edge in a rapidly evolving market.
The Cyber Resilience Act (CRA) has officially been adopted, marking a major step towards enhancing cybersecurity standards across the EU. Its publication in the Official Journal of the European Union (EUR-Lex) as Regulation 2024/2847was the final step in the legislative process for the CRA. The act establishes horizontal cybersecurity requirements for products with digital elements, addressing widespread vulnerabilities and inconsistent security update practices, with the aim of improving the security and resilience of digital products throughout their lifecycle.
This final step defines the deadlines as follows:
December 10, 2024: Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA will enter into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.
September 11, 2026: Reporting obligations for stakeholders take effect.
December 11, 2027: Full application of the regulation.
The CRA introduces horizontal cybersecurity standards applicable to hardware, software, and digital services. The goal is to address widespread vulnerabilities and ensure that manufacturers prioritize security throughout a product’s lifecycle.
The regulation requires manufacturers to adopt vulnerability management processes and ensure timely security updates. It emphasizes transparency in the product lifecycle, obligating manufacturers to clearly communicate the duration of support for security updates.
The act also includes provisions to support microenterprises and small businesses, particularly in understanding and complying with the cybersecurity standards required by the regulation.
The Scope and Specific Provisions of the Cyber Resilience Act (CRA) require that all products with digital elements meet mandatory cybersecurity standards before being sold in the EU. Products must also display the CE marking, indicating compliance with EU safety regulations. Additionally, the CRA distinguishes between “important” and “critical” products, with stricter assessments applied to higher-risk products to ensure greater security.
Furthermore, the CRA ensures consumers are better informed about the security features of digital products, providing them with tools to choose secure devices and ensuring a safer digital environment for end-users, including children.
Overall, the Cyber Resilience Act sets the foundation for a more resilient digital landscape in Europe by mandating essential cybersecurity measures for all digital products. Emphasizing transparency, the CRA requires from manufacturers to prioritize cybersecurity at every stage – from design to end-of-life – while ensuring users are informed about security support periods. By harmonizing requirements across the EU, the act aims to foster a secure digital market while minimizing risks for consumers and businesses alike.
For more details, see the full regulation on EUR-Lex.
