This article follows our recent article on the source of cybercrime attacks – read it here – we’re now exploring the global, commercial, and political dimensions of digital warfare. Key takeaways $100 billion in global cyber damages annually – equivalent to the GDP of a mid-sized nation. $400 million in business impact from a single […]

The post Digital Warfare and the New Geopolitical Frontline appeared first on Heimdal Security Blog.

Many MSPs want to grow, but internal complexity often holds them back. In this guest article, Portland, a Heimdal partner, breaks down how fragmented systems and unclear value messaging can quietly erode profits, compliance, and trust – and how to fix it.  The “system bug” holding MSPs back “Stop talking about technology. Start talking about […]

The post Is Your Tech Stack Killing Profitability? The Silent Bug Crippling MSP Growth appeared first on Heimdal Security Blog.

Paying attackers a ransom to recover from ransomware attacks fails 41% of the time, and even when recovery keys work, ransomware victims don’t always recover all of their data. That’s one of the findings from cyber insurer Hiscox’s Cyber Readiness Report 2025, which is based on interviews with 5,750 organizations in seven countries. The report found that 27% of those organizations had experienced a ransomware attack in the preceding 12 months. Among the organizations that paid a ransom, 60% recovered “some or all of their data,” the report said, but 41% “were given a recovery key, but still had to rebuild their systems.” It gets worse. For 31% of ransomware victims who paid a ransom, attackers demanded more money, the report found. And additional attacks were sustained by 27% of those who paid a ransom, “though not necessarily an attack from the same entity.” “No company enjoys rewarding bad players for hijacking their data, but when it comes to ransomware attacks, it is common for organisations to make every effort to recover what could be lost,” Hiscox said. “That includes paying the ransom where that is demanded.” “Paying a ransom does not always solve the problem,” the report noted.

IoT Devices Most Common Attack Vector

Vulnerabilities are a key initial attack vector noted by the report. Internet of Things (IoT) devices owned by the organizations were the most common point of entry for cyberattacks (33%), followed by supply chain vulnerabilities (28%), and cloud-based corporate servers (27%). AI tools and software were attackers’ initial point of entry for 15% of organizations. Ransomware victims aren’t the only ones at risk of multiple cyberattacks, as the report found that one cyberattack significantly raise the risk for multiple cyberattacks. Of the organizations surveyed, 59% had experienced at least one cyberattack in the preceding 12 months. Among those organizations, larger companies or those with higher revenue were more likely to experience additional incidents. Companies with more than $1 million in revenue that had experienced an attack in the last year had more averaged six cyberattacks, compared to four for those businesses with less than $1 million in revenue. Businesses with 50-249 employees had an average of seven attacks in the last year compared to companies with 11-49 employees, which averaged five attacks. Nonprofits were the hardest hit sector, averaging eight incidents, while organizations in the chemical, property, and media sectors averaged three cyberattacks.

Most Favor Ransomware Payment Disclosure

The report noted that a new law in Australia requires companies to disclose the amount of ransoms paid, and 71% of respondents agree that such disclosures should be mandatory. However, 53% believe that private companies should not be obligated to disclose ransomware payments. While the report paints a challenging picture for cybersecurity defenders, there was one bright spot: 83% of respondents reported improved cyber resilience at their company in the last 12 months.

Ransomware attacks have soared 50% in 2025 despite major changes among the leading ransomware groups, according to a new Cyble report. Through October 21, there have been 5,010 ransomware attacks claimed by ransomware groups on their dark web data leak sites, up from 3,335 in the same period of 2024, according to a Cyble blog post. “From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025, but affiliates have been quick to find new opportunities, and a steady supply of critical vulnerabilities has helped fuel attacks,” Cyble said. The threat intelligence company noted that its new threat landscape report (registration required) also documents record data breaches and supply chain attacks, as the cyber landscape has become more dangerous in general this year.

Qilin Led All Ransomware Groups Once Again

September marked the fifth consecutive monthly increase in ransomware attacks, and Qilin led all ransomware groups for the fifth time in six months, as the group has solidified its leadership in the wake of RansomHub's decline. In all, ransomware groups claimed 474 victims in September, up slightly from August (chart below). That’s well below February’s record, “yet still among the highest monthly ransomware attack totals on record,” Cyble said. [caption id="attachment_106294" align="aligncenter" width="723"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] The U.S. remains by far the biggest target for ransomware groups, with its 259 victims accounting for nearly 55% of attacks in September (chart below). Germany, France, Canada, Spain, Italy and the UK remain consistent targets, but South Korea emerged a new major target, in second place behind the U.S. with 32 attacks, largely due to one campaign by Qilin. [caption id="attachment_106292" align="aligncenter" width="936"] Ransomware attacks by country September 2025 (Cyble)[/caption] Of the 32 South Korean attacks recorded in September, 29 came from Qilin’s “KoreanLeak” campaign that targeted asset management companies in the country. Cyble noted that “One of the asset management firms said its systems were impacted through a ransomware attack on its IT management provider, indicating a possible supply chain compromise affecting multiple firms simultaneously.” The campaign also made South Korea by far the most attacked country in the APAC region in September, well ahead of India, Thailand and Taiwan. Qilin’s South Korean campaign made Banking, Financial Services and Insurance (BFSI) the third most attacked sector in September, behind Construction and Manufacturing and ahead of Professional Services, IT and Healthcare (chart below). [caption id="attachment_106296" align="aligncenter" width="936"] Ransomware attacks by sector September 2025 (Cyble)[/caption]

The Emergence of The Gentlemen Ransomware Group

Qilin led all ransomware groups with 99 claimed victims, 40 ahead of second-place Akira (chart below). [caption id="attachment_106298" align="aligncenter" width="936"] Top ransomware groups September 2025 (Cyble)[/caption] The emergence of The Gentlemen was a noteworthy development, a new group that has claimed 46 victims to date. “The group’s use of custom tools targeting specific security vendors and the geographic diversity of its targets ... suggests that the group may have the resources to become an enduring threat,” Cyble said. The full Cyble blog detailed 11 significant ransomware incidents in September, including some with supply chain implications, and also included recommendations for defenders.

The U.S. government has apparently charged a former cybersecurity company official with stealing trade secrets with the intention of selling them to a Russian buyer, according to court documents and news reports. Court documents didn’t name the companies involved in the case, but Bloomberg and TechCrunch said the defendant – Peter Williams – is a former director at L3Harris Trenchant, which does vulnerability and security work for government clients. The Cyber Express reached out to U.S. and defense attorneys and L3Harris for comment on the case and was told by a U.S. attorney that they couldn’t comment on an ongoing case. L3Harris Trenchant is not charged with wrongdoing in the matter. The use of a Criminal Information document to bring the charges suggests the possibility of a plea deal in the case. Williams is scheduled to appear in court on October 29 for an "Arraignment and Plea Agreement Hearing," according to court records.

L3Harris Trenchant’s Sensitive Security Work

Trenchant was created following the acquisitions of Azimuth Security and Linchpin Labs by defense contractor L3Harris Technologies. According to a Trenchant information page, “Much of our work is neither public nor publicized. We work with select customers who share our ethical standards and have a formal mandate to operate in this space. Our solutions are driven by holistic analysis of real operational scenarios, yielding capabilities that are tuned to thrive and survive in real-world environments.” “We are a trusted, discreet partner furnishing security products, consultancy, training and integration services to allied governments, defense, security and law enforcement agencies,” Trenchant’s website adds. Trenchant’s solutions include vulnerability and exploit research, APIs for intelligence operations, “device and access capabilities,” and computer network operations (CNO) products.

The Charges: Stealing Trade Secrets

The two-count U.S. Criminal Information document alleges that Williams stole seven trade secrets from two unnamed companies with the intention of selling them to a Russian buyer. The first count states that between roughly April 2022 and June 2025, Williams allegedly “did knowingly steal, and without authorization, appropriate, take, carry away, conceal, and by fraud, artifice and deception, obtain such information, to wit, seven trade secrets ... knowing and intending those secrets to be sold outside of the United States, and specifically to a buyer based in the Russian Federation (Russia).” The second count says that between June 2025 and August 2025, Williams allegedly “did knowingly and without authorization copy, duplicate download, upload, alter, replicate, transmit, deliver, send, communicate and convey such information, that is one trade secret ... knowing and intending those secrets to be sold outside of the United States, and specifically to a buyer based in the Russian Federation (Russia).” Both are Theft of Trade Secrets charges under Title 18, United States Code, Section 1832(a)(1) and Title 18, United States Code, Section 1832(a)(2). The U.S. seeks to collect $1.3 million in forfeited property from Williams.

Version 5.0.0 adds three major features for MSPs. a module that controls RDP access an improved ransomware detection engine a simpler way to deploy Windows over the network. Remote Access Protection (RAP): Block Unauthorized RDP Attempts RDP brute-force attacks remain a top breach vector, so we built a new module that monitors and filters Remote […]

The post Heimdal 5.0.0 RC: RDP Protection, Ransomware Detection, and OS Deployment appeared first on Heimdal Security Blog.

Researched and written by Heimdal founder Morten Kjaersgaard, this article exposes how even limited cooperation between registry bodies and law enforcement could cripple ransomware networks and raise the cost for cybercriminals. This article serves as a wake-up call. Even limited cooperation between registry bodies and law enforcement could cripple ransomware networks and raise the cost […]

The post Where Ransomware Profits Go and How to Cut Them Off appeared first on Heimdal Security Blog.

Content creation is no longer niche. Over 50 million Americans earn income by making videos, livestreams, podcasts, or other digital media. Many are full-time creators, while others pursue it as a side hustle. Either way, having an online presence is becoming increasingly risky.  Scammers are catching on. In 2024 alone, the Federal Trade Commission’s logged […]

The post Digital doppelgängers: How sophisticated impersonation scams target content creators and audiences appeared first on Heimdal Security Blog.

COPENHAGEN, Denmark, September 23, 2025 –  We are proud to announce that our Extended Detection & Response (XDR) product has been officially listed on the Tidal Cyber Registry. This listing marks a significant milestone in Heimdal’s commitment to transparency, precision, and proactive threat defense. By integrating with the Tidal Cyber platform, Heimdal enables its customers […]

The post Heimdal Joins the Tidal Cyber Registry with Its Extended Detection & Response (XDR) Solution appeared first on Heimdal Security Blog.

Podcasts are every smart MSP’s secret weapon. They spark ideas, fuel strategy, and keep you in the know, without adding another thing to your to-do list. To save you the scroll, we’ve handpicked the most binge-worthy MSP podcasts of 2025 – shows that bring real talk, fresh insights, and the kind of advice you’ll actually […]

The post The Ultimate MSP Podcast List appeared first on Heimdal Security Blog.

A Heimdal investigation has revealed that the TamperedChef malware, disguised as free productivity software, has infected endpoints across multiple European organizations. The campaign used advanced obfuscation techniques to evade traditional detection. Heimdal’s Discovery Heimdal Security’s Managed Extended Detection and Response (MXDR) team found TamperedChef infections in 0.03% of its European customer base. The number may […]

The post Heimdal Investigation: European Organizations Hit by PDF Editor Malware Campaign appeared first on Heimdal Security Blog.

This week in cyber we’ve got a SaaS breach impacting Workday, a malicious ChatGPT app making the rounds, double trouble for telecom providers, and the takedown of a botnet-for-hire service. Cybersecurity Advisor Adam Pilton is here with useful insights on the attacks and safety advice. Workday SaaS Breach Sparks Third-Party Risk Concerns Workday has confirmed […]

The post Colt Technology Services Breached – Warlock Gang Claims Attack appeared first on Heimdal Security Blog.

Time for your Weekly Cyber Snapshot with Adam Pilton, former Cybercrime Investigator, currently Cybersecurity Advisor. The five major cyber stories this week go from North Korea’s cyber playbook getting leaked to the silent burnout creeping up on MSPs. Let’s go. North Korean Cyber Ops Get Hacked Hackers using the names Saber and Cyborg claim to […]

The post Fortinet VPNs Under Coordinated Attack appeared first on Heimdal Security Blog.

COPENHAGEN, Denmark  – August 11, 2025 – Security tools meant to protect managed service providers are instead overwhelming them. A new study from Heimdal and FutureSafe reveals that 89% of MSPs struggle with tool integration while 56% experience alert fatigue daily or weekly. The research exposes a dangerous paradox. MSPs experiencing high alert fatigue are […]

The post Agent Fatigue Crisis Hits 89% of MSPs as Security Tools Backfire appeared first on Heimdal Security Blog.

Scattered Spider is on the news again – this time they breached Allianz Life. This week’s headlines range from ransomware-ready flaws to physical CCTV vulnerabilities, cloud outages, insurance data breaches, and unfinished patch jobs. Follow cybersecurity advisor Adam Pilton to find out what were the most important threats of the week and how you can […]

The post Scattered Spider Breached Allianz Life – How to Prevent This Threat appeared first on Heimdal Security Blog.

The conversational AI market is exploding. Grand View Research suggests it’s set to jump from $11.58 billion in 2024 to $41.39 billion by 2030, a massive 23.7% annual growth rate. While businesses use AI to boost customer service, cybercriminals are jumping in too, launching slick impersonation scams. These scams are spreading fast. A report from […]

The post AI impersonation scams are exploding: Here’s how to spot and stop them appeared first on Heimdal Security Blog.

COPENHAGEN, Denmark, July 23, 2025 – Heimdal is proud to announce that it has once again secured the ISAE 3000 SOC 2 Type II certification, marking the fifth consecutive achievement of this rigorous accreditation. This milestone reflects Heimdal’s long‑standing commitment to data security, operational integrity, and transparency for all customers. Why independent verification matters As […]

The post Heimdal® Achieves Fifth Consecutive ISAE 3000 SOC 2 Type II Certification appeared first on Heimdal Security Blog.

Hey there, it’s time for your Weekly Cyber Snapshot with former Cyber Detective Sergeant Adam Pilton. In less than 5 minutes you’ll be up to speed on the five biggest cyber headlines of the week. From a hacked Muppet to ransomware takedowns, leaky AI at the Golden Arches, a betting breach, and SMBs sleepwalking into […]

The post 123456 Password Leads to McDonald’s Data Breach appeared first on Heimdal Security Blog.

Heimdal can now be purchased through Microsoft’s global sales teams and counts toward Azure spending commitments.  This partnership opens new doors for companies looking to strengthen their cybersecurity while making the most of their existing Microsoft investments.  What this means for you  IP Co-Sell Ready status means Microsoft’s sales teams can now sell Heimdal’s solutions […]

The post Heimdal Achieves IP Co-Sell Ready and MACC Eligible Status with Microsoft appeared first on Heimdal Security Blog.

Your weekly dose of the most urgent cyber threats is here. Adam Pilton distilled it all into five critical stories and five things you should actually do about them. Let’s get into it. Ingram Micro Ransomware Attack Disrupts Global IT Supply Chain Ingram Micro, the lifeline distributor for countless MSPs, was slammed by a SafePay […]

The post Ingram Micro Ransomware Attack Shakes IT Supply Chain appeared first on Heimdal Security Blog.