AI-Powered Ransomware Toolkit Evades EDR Detection in Sophisticated Cybercrime Campaign Researchers at Sophos have uncovered a threat actor leveraging an AI-assisted ransomware attack toolkit designed to automate Active Directory (AD) discovery and bypass endpoint detection and response (EDR) solutions from Sophos, CrowdStrike, and Microsoft. The toolkit, developed with the aid of AI agents like Cursor and Claude Opus, streamlines malware creation, testing, and evasion techniques though the workflow remains human-driven. The framework was detected in a customer environment after malicious payloads triggered alerts in a test directory. Key components included: - Cobalt Strike profiles mimicking legitimate web traffic to evade detection. - A Telegram bot API for command-and-control (C2) communications, routing traffic through Telegram’s infrastructure. - Python-based scripts for injecting shellcode into legitimate Windows executables while preserving functionality. - A Cloudflare Worker acting as a redirector to conceal the true C2 server. While initially resembling a red team tool, forensic analysis including ransom notes and victim listings on data leak sites confirmed its use in cybercriminal ransomware operations. The toolkit employs multiple AI agents, each assigned distinct roles, such as coordinating R&D (via Claude Opus 4.5), testing, OPSEC hardening, and VM deployment. Agents scraped bypass techniques from security research by Kaspersky, Palo Alto Networks, and others, mapping them to MITRE ATT&CK and iteratively refining payloads. A Python-based generator produced nearly 80 modular payloads in Rust and Go, layered with encryption and evasion tactics to resist sandboxing and EDR detection. Despite initial high failure rates, the framework achieved near-total EDR bypass after multiple iterations though Sophos noted discrepancies between test results and internal reporting. Notably, AI was not embedded in deployed malware but used to accelerate development, reducing the time between offensive research publication and threat actor adoption. The discovery highlights how AI tools are lowering the barrier for cybercriminals to operationalize advanced evasion techniques at scale.

Storm-2561 Exploits SEO Poisoning and Fake VPN Installers in Credential Theft Campaign Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign targeting enterprise VPN users by abusing SEO poisoning and trojanized VPN installers. The group leverages fake, code-signed software to harvest VPN credentials and configuration data, exploiting trust in search results and legitimate security certificates. In mid-January 2026, Microsoft Defender Experts identified a renewed campaign where Storm-2561 manipulated search engine results to direct victims to spoofed VPN download sites, such as vpn-fortinet[.]com and ivanti-vpn[.]org. These domains mimicked well-known VPN vendors, including Fortinet, Pulse Secure, and Ivanti, before redirecting users to a now-removed malicious GitHub repository hosting a ZIP file (VPN-CLIENT.zip) containing a trojanized MSI installer. The installer, disguised as a legitimate VPN client, deployed signed malware components including Pulse.exe, dwmapi.dll, and inspector.dll under a path imitating a real Pulse Secure installation (%CommonFiles%\Pulse Secure). The dwmapi.dll acted as an in-memory loader, executing shellcode to load inspector.dll, a variant of the Hyrax information stealer. This malware targeted stored VPN credentials and configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat, exfiltrating them to a command-and-control server at 194.76.226[.]93:8080. A key tactic in this campaign was the abuse of a legitimate code-signing certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked. The signed MSI and DLLs bypassed Windows security warnings and evaded detection by some security tools, lending the malware a false appearance of legitimacy. Additional signed samples, including Sophos-Connect-Client.exe and GlobalProtect-VPN.exe, indicated a broader distribution effort under the same certificate. The fake VPN client displayed a realistic GUI mimicking Pulse Secure, prompting users for credentials before exfiltrating them and displaying a fake error message. To avoid suspicion, the malware sometimes redirected victims to the official vendor site, ensuring they ultimately installed a legitimate VPN leaving no immediate signs of compromise. Persistence was maintained via the Windows RunOnce registry key, ensuring the malware executed at reboot. Microsoft Defender Antivirus detects the payloads as Trojan:Win32/Malgent and TrojanSpy:Win64/Hyrax, while Defender for Endpoint can block active infections and flag unusual VPN process execution. The campaign highlights Storm-2561’s reliance on SEO manipulation, brand impersonation, and code-signing abuse to monetize stolen credentials.

Black Basta Ransomware Adopts New "All-in-One" Attack Tactic with Embedded BYOVD Exploit The Black Basta ransomware group, linked to the threat actor Cardinal, has introduced a significant evolution in its attack methodology by embedding a Bring-Your-Own-Vulnerable-Driver (BYOVD) exploit directly into its ransomware payload. This marks a departure from traditional ransomware operations, where attackers typically deploy separate tools to disable security software before encryption. In this campaign, Black Basta leverages the NsecSoft NSecKrnl driver, which contains a critical vulnerability (CVE-2025-68947). The flaw allows the driver to execute privileged commands without proper permission checks, enabling the ransomware to issue Input/Output Control (IOCTL) requests that terminate high-level security processes. Targeted defenses include solutions from Sophos, Symantec, CrowdStrike, and Microsoft Defender (MsMpEng.exe). Once security measures are neutralized, the ransomware encrypts files and appends the “.locked” extension. This tactic embedding defense evasion within the ransomware itself is rare, previously observed only in Ryuk (2020) and Obscura (2025). The approach offers two key advantages for attackers: stealth, by reducing the number of files dropped on the victim’s system, and speed, minimizing the window between disabling defenses and executing encryption. Researchers also noted prolonged dwell time in compromised networks, with suspicious activity detected weeks before ransomware deployment. The resurgence of Cardinal follows a period of inactivity after internal chat logs were leaked in February 2025 by a hacker known as ExploitWhispers, who claimed retaliation for Black Basta’s attacks on Russian banks. The leak led to police raids in Ukraine and the identification of an alleged leader, Oleg Evgenievich Nefedov. Despite law enforcement pressure, the group’s technical innovation suggests continued adaptation. BYOVD attacks remain a favored method among threat actors due to their reliance on legitimate, signed drivers, which evade detection. The integration of evasion and encryption into a single payload may set a new standard in ransomware operations, reflecting a broader trend of defense impairment as a critical component of modern ransomware attacks.

Sophos announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report. The study reveals that manufacturers are stopping more ransomware attacks before data can be encrypted; however, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organisations impacted by encryption paid the ransom despite progress in defensive measures. The report is based on an independent survey of 332 manufacturing organisations that were hit by ransomware in the last year. The Sophos State of Ransomware in Manufacturing and Production report found: – Encryption rates are falling, but adversaries are shifting tactics: 40% of attacks on manufacturers resulted in data encryption, the lowest level in five years and down from 74% last year. However, extortion only attacks surged to 10% from just 3% in 2024 as attackers increase reliance on data theft for leverage. – Data theft remains a significant concern: 39% of manufacturers that experienced encryption also had data stolen, one of the highest rates across all surveyed sectors. – More organisations are stopping attacks before encryption: 50% of manufacturing organisations stopped the attack before data could be encrypted, more than double last year’s 24%. – Expertise shortfalls and inadequate protection fuel attacks: Lack of expertise was cited by 42.5% of organisations. Unknown security gaps were cited by 41.6%, and

Sophos encountered a sophisticated cyberattack involving the novel 'AVKiller' payload, which disabled endpoint defenses to facilitate ransomware deployment. The attackers used a dropper masquerading as a legitimate utility, injecting malicious code into signed executables. AVKiller terminated security processes, allowing ransomware to encrypt crucial servers. The attack hampered recovery efforts due to the absence of active EDR protection. The tool's modular design and use of compromised certificates highlighted its advanced evasion tactics, underscoring the growing trend of adversaries using specialized tools to neutralize security operations.

Ransomware Resurgence: Barracuda Report Reveals Alarming Trends at Black Hat USA 2025 At Black Hat USA 2025, Barracuda Networks unveiled a stark report on ransomware’s evolving threat landscape, revealing that 31% of victims were attacked multiple times in the past year a trend driven by fragmented security defenses and persistent gaps in protection. The findings, based on a survey of 2,000 IT and security decision-makers across North America, Europe, and Asia-Pacific, paint a troubling picture of modern cyber threats. Key takeaways from the report include: - 57% of organizations suffered a successful ransomware attack in the last 12 months. - 71% of those hit by email breaches were also targeted by ransomware, underscoring email as a primary attack vector. - Only 32% of victims paid a ransom, and just half of those recovered all their data. - Fragmented security tools and insufficient coverage in critical areas particularly email security left organizations vulnerable to repeat attacks. Adam Khan, Barracuda’s VP of global security operations, highlighted that less than half of ransomware victims had implemented email security solutions, despite email being a leading entry point. The report also noted that ransomware attacks are now multi-dimensional, combining data encryption, theft, and secondary payloads for maximum disruption. Beyond financial losses, attacks inflicted reputational damage (41%), lost business opportunities (25%), and pressure on partners and employees (22%), signaling a shift toward broader operational and psychological impact. --- Sophos and Rubrik Partner to Strengthen Microsoft 365 Resilience In a separate announcement, Rubrik and Sophos unveiled a strategic partnership to deliver the first MDR-optimized Microsoft 365 backup and recovery solution, integrated into Sophos Central. The offering aims to combat ransomware, account compromise, and data loss across SharePoint, Exchange, OneDrive, and Teams by unifying threat detection and recovery in a single workflow. Raja Patel, Sophos’ chief product officer, emphasized the solution’s ability to simplify operations for partners, enabling automated recovery triggered by MDR alerts and creating new revenue streams. Rubrik CEO Bipul Sinha noted the partnership’s focus on AI-driven threats, stressing the need for rapid recovery capabilities in an era of sophisticated breaches. --- Darktrace’s 2025 Mid-Year Retrospective: AI-Powered Threats and SaaS Exploitation Darktrace’s retrospective of H1 2025 highlighted the growing use of AI by threat actors, including highly convincing phishing emails and automated campaigns at unprecedented scale. The report also flagged SaaS exploitation as a critical concern, citing lack of visibility and business-level controls in cloud environments. Nathaniel Jones, Darktrace’s VP of security and AI strategy, warned that user vigilance alone is insufficient, advocating for AI-driven defense systems to counter advanced threats like Blind Eagle. While law enforcement collaborations such as the takedown of Lumma Stealer show progress, the report cautioned that new threats will continue to emerge, with AI adoption expected to expand into deepfakes, malware development, and tooling. --- Additional Black Hat Announcements Other notable developments included: - Arctic Wolf, Flashpoint, and Cyera unveiling new threat intelligence and data security initiatives. - Industry-wide discussions on AI’s dual role in both offensive and defensive cyber operations.

Identity-Related Breaches Surge, Driving Ransomware and Financial Losses: Sophos Report A recent Sophos survey of 5,000 IT and cybersecurity leaders across 17 countries reveals that over 70% of organizations experienced at least one identity-related breach in the past year. Switzerland reported the highest breach rate, followed by Mexico and Italy, while Germany, Colombia, and Japan had the lowest though still exceeding 60%. The energy, oil and gas, utilities, and federal government sectors faced the highest breach rates, while IT, telecoms, and healthcare sectors with stronger security investments saw fewer incidents. Compliance struggles correlated with higher breach rates, indicating broader security vulnerabilities. Most organizations detected and stopped identity attacks before damage occurred, but smaller companies were less likely to identify threats early, increasing the risk of severe consequences. Brazil had the highest rate of detection failures, while Switzerland’s high breach rate left firms exposed. Media, leisure, and entertainment industries had the worst detection rates, while healthcare performed best, likely due to regulatory pressure. The report also highlights a strong link between identity attacks and ransomware, with two-thirds of ransomware victims attributing their breach to identity compromise. Mid-sized organizations (1,001–3,000 employees) showed the strongest connection, while higher education and transportation sectors were most affected. Financial services, IT, and telecoms reported lower rates. For the 510 organizations that failed to stop a major identity attack, the impact was severe. On average, each suffered two major consequences, including data theft (50%), ransomware (47%), financial fraud (46.7%), and extortion (43.9%). Undetected attacks led to significant financial and operational damage, with human error and weak identity management cited as the most common root causes. Recovery costs averaged $1.64 million globally, with a median of $750,000. The survey also exposed gaps in identity security practices. While real-time monitoring was the most common activity, over half of companies checked for unusual logins no more than quarterly. Only 34.3% rotated and audited non-human identities (NHIs) weekly, and 22.6% reviewed identity governance policies just once every six months. Organizations with weak NHI management were 22% more likely to suffer financial theft, 24.4% more likely to face extortion, and incurred recovery costs $147,178 higher on average.

Storm-2561 Credential Theft Campaign Exploits SEO to Target Enterprise VPN Users Since May 2025, the financially motivated threat actor Storm-2561 has been conducting a credential theft campaign by manipulating search engine rankings to distribute fake VPN software. The operation targets employees searching for tools like Pulse Secure, Fortinet, and Ivanti, redirecting them to spoofed websites that deliver malicious download packages. Victims who install the fake software unknowingly expose their VPN credentials, which are silently harvested and sent to attacker-controlled servers. The campaign leverages SEO poisoning to push fraudulent sites to the top of search results for queries such as “Pulse VPN download.” These sites mimic legitimate vendor portals, complete with logos and download buttons, while hosting malicious ZIP files on GitHub repositories since removed. The trojans were digitally signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”, which has since been revoked. Microsoft Defender Experts identified the campaign in mid-January 2026, attributing it to Storm-2561 based on its history of malware distribution through SEO abuse and software impersonation. After credential theft, the fake VPN client displays a convincing error message before redirecting the victim to the official vendor website, ensuring no visible signs of compromise. The attack delivers its payload via a Windows Installer (MSI) package disguised as a legitimate Pulse Secure installer, dropping malicious DLL files (dwmapi.dll and inspector.dll) that function as an in-memory loader and a variant of the Hyrax infostealer. The malware exfiltrates credentials to 194.76.226[.]93:8080 and maintains persistence via the Windows RunOnce registry key. The campaign extends beyond Pulse Secure, with additional fake installers for GlobalProtect VPN and Sophos Connect discovered under the same certificate. Stolen credentials enable lateral movement within corporate networks, unauthorized data access, and follow-on attacks, posing a significant risk to enterprises relying on VPNs for remote operations. The attack’s sophistication combining realistic spoofing, legitimate-looking signatures, and post-compromise redirection makes detection particularly challenging.

Sophos Report: Credential Compromise Dominates Cyber Intrusions as Attackers Exploit Identity Weaknesses A new Sophos Active Adversary Report analyzing 661 incident response cases between November 2024 and October 2025 reveals that identity-related attacks including phishing, brute force, and credential theft accounted for 67% of initial access vectors across organizations in 70 countries. The findings underscore how attackers increasingly bypass traditional security measures by targeting authentication systems rather than exploiting software vulnerabilities. Once inside, threat actors move rapidly to compromise Active Directory (AD), with a median time of 3.4 hours from initial access to directory-level infiltration. AD remains a prime target due to its control over authentication, authorization, and enterprise-wide policies, enabling attackers to escalate privileges and expand access. The report also highlights dwell time trends, with a median of three days between intrusion and detection. This window allows attackers to conduct reconnaissance, harvest credentials, and prepare for ransomware or data exfiltration. Notably, 88% of ransomware deployments and 79% of data theft incidents occurred outside standard business hours, exploiting reduced staffing and monitoring gaps. While generative AI has influenced cyber threats improving phishing lures, scaling campaign volume, and lowering technical barriers it has not yet led to fully autonomous attacks. Instead, AI acts as a force multiplier, enhancing existing tactics like credential theft and social engineering without fundamentally altering attack methods. The data confirms that identity compromise remains the dominant entry point, with attackers prioritizing speed and stealth to maximize impact before detection.

Sophos, a UK cybersecurity firm, experienced a breach initiated by a Chinese hacker group that exploited vulnerabilities in their network security devices. The targeted attacks lasted over five years, compromising firewalls to gather intelligence and infiltrate a range of high-profile targets, including nuclear energy, military institutions, government agencies, and critical infrastructures across Asia, Europe, the Middle East, and the US. The severity of the incident was amplified by the strategic use of zero-day vulnerabilities and the attackers' focus on critical sectors, suggesting potential large-scale disruption and intelligence gathering for state-sponsored activities.

Ransomware Surges in Africa, Driven by Cybersecurity Gaps and Financial Incentives Ransomware malicious software that locks or encrypts a victim’s data until a ransom is paid remains one of the most damaging cyber threats globally, with Africa emerging as a key target in 2024. According to an Interpol report, South Africa and Egypt reported over 12,000 and 17,000 ransomware detections, respectively, highlighting the continent’s vulnerability. A Sophos report revealed that 71% of South African organizations hit by ransomware in early 2025 paid the demanded sum to recover their data. However, the true cost extends beyond payments, encompassing revenue losses from downtime, operational disruptions, and reputational harm. Attackers often target critical infrastructure such as power grids, healthcare systems, and financial networks where service interruptions create maximum pressure to comply. When victims refuse, cybercriminals frequently escalate threats by leaking sensitive data. Africa’s cybersecurity gap fuels this trend. Many organizations lack dedicated resources, skilled personnel, or robust infrastructure to defend against attacks. Weak security controls including poor password practices, unmonitored networks, and insufficient intrusion detection allow hackers to exploit vulnerabilities. Human error, particularly through phishing emails, remains a leading entry point, with employees unknowingly downloading malicious attachments or clicking compromised links. Ransomware tools are increasingly commodified, sold by professional hackers to lower-skilled criminals, expanding the threat landscape. Attackers demand untraceable cryptocurrency payments, often employing double extortion tactics demanding ransom while threatening to publish stolen data on the dark web or social media. Groups like Medusa amplify pressure by publicly shaming victims, while leaked credentials fuel further phishing scams and breaches. Verizon’s 2025 Data Breach Report noted a 37% year-over-year increase in ransomware attacks, underscoring widespread unpreparedness. Experts emphasize the need for proactive measures, including strong access controls, network monitoring, regular backups, and employee training. Business continuity and disaster recovery plans are critical to minimizing downtime, while external cybersecurity expertise and cyber insurance can mitigate residual risks. Despite no foolproof defense, organizations are urged to adopt layered security strategies to reduce exposure. The rise in attacks reflects both the financial incentives for cybercriminals and the persistent gaps in Africa’s cyber resilience.

The Sophos State of Ransomware 2025 report highlights that 3,400 organizations across 17 countries were hit by ransomware in the past year, with 97% recovering encrypted data but facing severe operational and financial strain. 49% of victims paid ransoms (down from 56% in 2024), with average payments at 85% of initial demands, often exceeding $1M. While recovery costs dropped 44% to $1.53M, 53% of attacks disrupted operations for a week or more. Root causes included exploited vulnerabilities (32%), compromised credentials (23%), and phishing (18%), compounded by protection gaps, under-resourcing, and security flaws. The attacks led to IT team burnout, reputational damage, and prolonged downtime, with some organizations losing critical data or facing regulatory penalties. Ransomware remained the dominant threat, leveraging unpatched systems and human error to cripple defenses, forcing costly remediation and eroding trust in cybersecurity postures.

Ransomware in Education: Declining Attack Rates Mask Rising Costs and Recovery Challenges Sophos’ latest annual report on ransomware in the education sector reveals a complex landscape, where declining attack rates contrast with soaring recovery costs and evolving attacker tactics. The study, based on a survey of 600 IT and cybersecurity leaders in lower and higher education across 14 countries, examines trends from 2023 and highlights critical shifts in the sector’s response to ransomware. Attack Rates Drop, But Risks Remain High While ransomware attacks on educational institutions have decreased 63% of lower education and 66% of higher education organizations were hit in the past year, down from 80% and 79% in 2023 the sector still faces a higher attack rate than the global cross-sector average of 59%. Despite the decline, attackers are increasingly targeting backups, with 95% of affected organizations reporting attempts to compromise them. Of those, 71% saw their backups successfully breached, the second-highest rate across all sectors. Data encryption remains a persistent threat, affecting 85% of lower education and 77% of higher education victims in 2023 slightly higher than the previous year. Lower education’s encryption rate has risen for the second consecutive year, second only to state and local government organizations (98%). Recovery Costs Skyrocket The financial toll of ransomware has surged dramatically. Lower education organizations reported an average recovery cost of $3.76 million in 2024, more than double the $1.59 million in 2023. Higher education saw an even steeper increase, with costs rising nearly fourfold to $4.02 million from $1.06 million the prior year. On average, 52% of computers in lower education and 50% in higher education were impacted per attack, slightly above the cross-sector average of 49%. Ransom Payments and Backup Reliance Climb The propensity to pay ransoms has grown, with 62% of lower education and 67% of higher education organizations opting to pay in 2023 up from previous years. However, backups remain a critical recovery tool, used by 75% of lower education and 78% of higher education victims. Higher education’s reliance on backups has improved significantly, jumping from near the bottom globally in 2023 to second place in 2024, tied with state and local government. A notable shift is the rise in hybrid recovery strategies: 65% of lower education and 69% of higher education victims used multiple methods (e.g., paying the ransom and restoring from backups) in 2023, nearly triple the rates from the previous year. Ransom Demands vs. Payments: A Disparity When organizations paid ransoms, the sums often diverged from initial demands. The median payment for lower education was $6.6 million, while higher education paid $4.4 million. Only 13% of victims paid the exact amount requested. Lower education organizations were more likely to pay less (32%) than the demand, while higher education was the most likely sector globally to pay more (67%). The report underscores the education sector’s growing vulnerability to ransomware, where improved backup strategies coexist with rising costs and increasingly aggressive attacker tactics. The findings are based on a survey conducted by Vanson Bourne between January and February 2024, covering organizations with 100 to 5,000 employees.

- Advertisement - Nearly half (46%) of retail ransomware incidents were traced to an unknown security gap, underscoring ongoing visibility challenges across the retail attack surface, according to a report from Sophos. Among organizations that had data encrypted, 58% or three in every five paid the ransom to get their data back – the second highest payment rate in five years. These are based on a vendor-agnostic survey of 361 IT and cybersecurity leaders across 16 countries, representing organizations with 100 to 5,000 employees. The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months. This year’s report also revealed that 30% of attacks exploited known vulnerabilities and 48% of attacks resulted in encryption. The median ransom demand doubled to $2 million from 2024; and the average payment increased 5% to $1 million. In the past year, the Sophos X-Ops has observed nearly 90 distinct threat groups target one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx. After ransomware, account compromise was the second most common incident type seen against retailers. Like many industries, retail is a consistent target of business email compromise (BEC) groups seeking to divert payments, which is the third most common incident type. Limited in-house ex

Ransomware in 2025: Key Trends and Shifting Threats for Enterprises Sophos’ 2025 ransomware report, based on data from 1,733 enterprise organizations hit by attacks in 2024, reveals evolving tactics, operational vulnerabilities, and the financial and human toll of ransomware. Root Causes of Attacks Exploited vulnerabilities were the leading technical cause (29% of incidents), followed by phishing (21%) and compromised credentials (21%). Operational gaps played a major role, with 40% of victims citing unknown security weaknesses, while 39% pointed to understaffing or lack of expertise. Small and mid-sized businesses (SMBs) also struggled with resource constraints, with 42% attributing attacks to insufficient capacity. Encryption and Recovery Trends Data encryption rates dropped to a five-year low (49% in 2025 vs. 66% in 2024), while blocked encryption attempts surged to 47%, up from 22% in 2023 suggesting improved detection and response. Despite this, ransom payments remained steady at 48%, while backup reliance fell to 53%, its lowest in four years, signaling potential gaps in recovery confidence. Financial and Human Impact Ransom demands and payments declined sharply, with median demands dropping 56% to $1.2 million and payments falling to $1 million. Recovery costs also decreased, averaging $1.84 million in 2025, down from $3.12 million in 2024. However, the human cost persisted: 40% of IT teams reported increased pressure from leadership, while 39% faced heavier workloads, 37% saw shifting priorities, and 35% experienced guilt over failed prevention. The report, based on a global survey of 3,400 IT/cybersecurity leaders conducted between January and March 2025, underscores the persistent challenges of ransomware despite progress in mitigation.

Sophos 2023 Ransomware Report: Attack Rates Hold Steady as Encryption and Recovery Costs Surge Sophos’ State of Ransomware 2023 report, based on a survey of 3,000 IT and cybersecurity professionals across 14 countries, reveals persistent and evolving ransomware threats. Despite no increase in attack frequency 66% of organizations reported incidents in the past year, matching 2022 levels adversaries are becoming more effective at encrypting data. A record 76% of attacks resulted in successful encryption, the highest rate in four years, with 30% also involving data exfiltration, signaling a rise in "double extortion" tactics. The education sector faced the highest attack rates, with 79% of higher education and 80% of lower education institutions affected. Exploited vulnerabilities (36% of cases) and compromised credentials (29%) remained the leading root causes, aligning with Sophos’ incident response findings. While 46% of organizations paid ransoms to recover encrypted data, doing so nearly doubled recovery costs averaging $750,000 compared to $375,000 for those relying on backups. Ransom payments also prolonged recovery times, with only 39% of paying organizations restoring operations within a week, versus 45% using backups. Larger enterprises (revenue over $500 million) were more likely to pay, with over half admitting to ransom payments. The report underscores the financial and operational toll of ransomware, with experts warning that payments often fail to fully restore data, requiring additional recovery efforts. Recommendations include strengthening defenses with anti-exploit tools, Zero Trust Network Access (ZTNA), and 24/7 threat detection, alongside maintaining robust backups and incident response plans. The survey, conducted between January and March 2023, covered organizations with 100 to 5,000 employees across the Americas, EMEA, and Asia Pacific.

Sophoshas has recently fixed a critical vulnerability in its Sophos Firewall product that could allow remote code execution. The vulnerability was impacting Sophos Firewall versions 18.5 MR3 (18.5.3). It could allow a remote attacker to access the Firewall's User Portal or Webadmin interface to bypass authentication and execute arbitrary code.

UK-based cyber-security vendor Sophos suffered from a security breach on November 2020. An access permission problem was discovered in a mechanism that Sophos uses to keep track of clients who have contacted Sophos Support. Customer-first and last names, email addresses, and phone numbers were among the details exposed. According to Sophos, the configuration error was discovered by a security researcher, and the problem was immediately addressed.