by Insentrica Blog | Jun 27, 2025 | Ransomware
UK organisations hit by ransomware attacks paid much higher ransoms than in other countries over the past 12 months, according to study
British businesses are suffering significantly more damaging losses from ransomware attacks compared to the rest of the world, where things appear to be moving in a more positive direction, according to Sophos’ latest annual State of ransomware report, now in its sixth edition.
The study of 3,400 ransomware victims in 17 countries, just over 200 of them in the UK, found that worldwide, nearly half of businesses that fell victim to cyber criminal ransomware attacks still opted to pay a ransom to regain control of their data and systems, despite all professional advice to the contrary.
Globally, this quandary has now contributed to a situation where median ransom payments have actually halved over the past 12 months to approximately $1m (£740,000) worldwide, a fact that is more appropriately attributed to companies becoming more successful at minimising the impact of ransomware, said Sophos.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Sophos director and field chief information security officer (CISO), Chester Wisniewski.
“The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.”
However, whereas in the rest of the world, 53% of victims paid less than the sum demanded by the attackers – generally a result of engagement and negotiation with the cyber criminals, which is also in general not advisable – in the UK, organisations not only paid higher median ransoms year on year – $5.20m (£3.94m), up from $2.54m last year – but a total of 28% of UK victims somehow managed to get themselves into a situation where they paid more than was asked for.
Root causes
For UK businesses, exploited vulnerabilities were the most common technical root cause of ransomware attacks, seen in 36% of cases, compared to phishing and other malicious emails, seen in 26% of attacks, and compromised credentials, used in 19%.
In terms of operational root causes, Brits tended to blame a lack of security expertise for ransomware attacks, cited by 42% of victims, followed by previously unknown security gaps, reported by 40%. Additionally, 38% lamented that they had not had the right products and services in place to prevent themselves from falling victim.
“Ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources,” said Wisniewski.
“We’re seeing more companies recognise they need help and moving to managed detection and response (MDR) services for defence. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
Among the British respondents, 70% of ransomware attacks resulted in data encryption – well above the global average of 50%, and even higher than the 46% reported by Brits last year. In a signal that messaging around ransomware resilience measures is getting through in the UK, in 99% of cases victims were able to recover encrypted data, 39% of them said they used backups to do so.
Interestingly, data was actually stolen in only 26% of cases, way down on 49% in 2023-24, and of those victims who paid a ransom, 54% got their data back, up from 51% last year.
Business impact
Excluding ransom payments, the average (mean) cost borne by UK businesses in recovering from a ransomware attack also increased last year, hitting $2.58m, up from $2.07m in 2004 – including costs of network downtime, device costs, lost sales and so on. The good news is that UK organisations are getting faster at recovering, with almost 60% now back on their feet in a week, way up from 38% last year.
Respondents also shared new insight on the impact of ransomware on their security teams, with 43% reporting an increased workload, 41% reporting increased anxiety and stress about the possibility of future attacks, 29% describing feelings of guilt, and 26% reporting absences due to stress and mental health issues following an attack. Unfortunately, in 24% of cases, security team leaders were let go and replaced after a ransomware incident.
https://www.computerweekly.com/news/366626502/UK-ransomware-costs-significantly-outpace-other-countries?source_ad_id=366626502&asrc=EM_MDN_315886233&bt_ee=X4RZC26eQVw7kgAs6yP841FZr0W8u86Lejy4cH0RjMdg2kJ8ELEOWVKlZVoX8SWb&bt_ts=1750933784183
by Insentrica Blog | Jun 27, 2025 | Network Security
Cisco has released updates to address two maximum-severity security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could permit an unauthenticated attacker to execute arbitrary commands as the root user.
The vulnerabilities, assigned the CVE identifiers CVE-2025-20281 and CVE-2025-20282, carry a CVSS score of 10.0 each. A description of the defects is below –
- CVE-2025-20281 – An unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC releases 3.3 and later that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root
- CVE-2025-20282 – An unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC release 3.4 that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and execute those files on the underlying operating system as root
Cisco said CVE-2025-20281 is the result of insufficient validation of user-supplied input, which an attacker could exploit by sending a crafted API request to obtain elevated privileges and run commands.
In contrast, CVE-2025-20282 stems from a lack of file validation checks that would otherwise prevent the uploaded files from being placed in privileged directories.
“A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system,” Cisco said.
The networking equipment vendor said there are no workarounds that address the issues. The shortcomings have been addressed in the below versions –
- CVE-2025-20281 – Cisco ISE or ISE-PIC 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz), 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz)
- CVE-2025-20282 – Cisco ISE or ISE-PIC 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz)
The company credited Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity for reporting CVE-2025-20281. Kawane, who previously reported CVE-2025-20286 (CVSS score: 9.9), has also been acknowledged for reporting CVE-2025-20282.
While there is no evidence that the vulnerabilities have been exploited in the wild, it’s essential that users move quickly to apply the fixes to safeguard against potential threats.
by Insentrica Blog | Jun 27, 2025 | Open Source
Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry (“open-vsx[.]org”) that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk.
“This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines,” Koi Security researcher Oren Yomtov said. “By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX.”
Following responsible disclosure on May 4, 2025, the multiple rounds of fixes were proposed by the maintainers, before it was finally deployed on June 25.
Open VSX Registry is an open-source project and alternative to the Visual Studio Marketplace. It’s maintained by the Eclipse Foundation. Several code editors like Cursor, Windsurf, Google Cloud Shell Editor, Gitpod, and others integrate it into their services.
“This widespread adoption means that a compromise of Open VSX is a supply-chain nightmare scenario,” Yomtov said. “Every single time an extension is installed, or an extension update fetched silently in the background, these actions go through Open VSX.”
The vulnerability discovered by Koi Security is rooted in the publish-extensions repository, which includes scripts to publish open-source VS Code extensions to open-vsx.org.
Developers can request their extension to be auto-published by submitting a pull request to add it to the extensions.json file present in the repository, after which it’s approved and merged.
In the backend, this plays out in the form of a GitHub Actions workflow that’s daily run at 03:03 a.m. UTC that takes as input a list of comma-separated extensions from the JSON file and publishes them to the registry using the vsce npm package.
“This workflow runs with privileged credentials including a secret token (OVSX_PAT) of the @open-vsx service account that has the power to publish (or overwrite) any extension in the marketplace,” Yomtov said. “In theory, only trusted code should ever see that token.”
“The root of the vulnerability is that npm install runs the arbitrary build scripts of all the auto-published extensions, and their dependencies, while providing them with access to the OVSX_PAT environment variable.”
This means that it’s possible to obtain access to the @open-vsx account’s token, enabling privileged access to the Open VSX Registry, and providing an attacker with the ability to publish new extensions and tamper with existing ones to insert malicious code.
The risk posed by extensions has not gone unnoticed by MITRE, which has introduced a new “IDE Extensions” technique in its ATT&CK framework as of April 2025, stating it could be abused by malicious actors to establish persistent access to victim systems.
“Every marketplace item is a potential backdoor,” Yomtov said. “They’re unvetted software dependencies with privileged access, and they deserve the same diligence as any package from PyPI, npm, Hugginface, or GitHub. If left unchecked, they create a sprawling, invisible supply chain that attackers are increasingly exploiting.”
