Infosec in Brief Despite warnings not to pay ransomware operators, almost half of those infected by the malware send cash to the crooks who planted it, according to infosec software slinger Sophos.
The vendor surveyed 3,400 IT pros in early 2025 about their experiences over the last year and found 49 percent paid ransoms on their stolen data. That’s the second highest payment rate in six years, second only to the 56 percent payment rate from last year.
Sophos also found that crooks have reduced the sums they demand by a third since 2024, and the median ransom payment fell by 50 percent.
So while many victims are paying ransoms, their outlays are falling.
53 percent of respondents said they paid less than the initial ransom demand, which Sophos’s researchers feel is an indicator that “companies are becoming more successful at minimizing the impact of ransomware.”
However organizations still fall victim to ransomware through well-known bad practices. The study found 32 percent of ransomware incidents flow from attackers exploiting a known vulnerability. Additionally, 40 percent of victims admitted their attackers “took advantage of a security gap they were not aware of.”
The use of backups to restore data is also at a six-year low, with just 54 percent of companies opting to avoid dealing with threat actors by rolling back to a known good state.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said SOPHOS field CISO Chester Wisniewski. “The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage.”
You can read the full report here [PDF].
Critical vulnerabilities of the week: MegaRAC attack
You might not remember news the CVSS 10.0-rated vulnerability in AMI MegaRAC firmware that we reported on in March, but cybercriminals didn’t forget about it, and it’s now under active exploitation, CISA said last week.
CVE-2024-54085 allows a remote attacker to bypass authentication thanks to an issue with the Redfish Host Interface. Security researchers spotted thousands of exposed systems when they investigated the bug earlier this year. Users haven’t patched many vulnerable systems since, meaning many are susceptible to attack.
M365 phishing warning
Attackers are abusing a Microsoft 365 Exchange Online feature that enables devices like printers and copiers to email documents, data security vendor Varonis warned last week.
Microsoft calls the feature “Direct Send” and allows devices to send emails without the need to authenticate.
Devices with Direct Send enabled are vulnerable because they often use a similar email format to other users in an organization, making it easy to guess the address of the host.
Varonis spotted phisherfolk abusing it in a novel campaign that’s targeted some 70 organizations without the need to compromise a single account.
Because Direct Send devices are internal and trusted, the messages raise far fewer alarms than those sent by a more conventional phishing attack.
Varonis said defenders need to inspect email headers to identify phishing messages sent by abusing Direct Send, with signs like use of external IPs as the source of a message an indicator of misuse. Disabling Direct Send if it’s not strictly needed is another option.
Brother printers riddled with vulns
If you have one of 689 models of Brother multifunction printers (MFP), bad news: Your device contains an authentication bypass vulnerability that’s unfixable.
Rapid 7 cybersecurity researchers last week reported the discovery of eight vulnerabilities while conducting zero-day research on MFPs from Brother. The most critical is CVE-2024-51978, a CVSS 9.8 problem that allows an attacker to steal the default administrator password from Brother MFPs because the company generated those default passwords based on the device serial number.
Unfortunately, Brother said there’s no way to patch machines vulnerable to that CVE, but a workaround is available: Change the default password.
The other seven vulnerabilities, ranging from a CVSS score of 7.5 down to 5.3, also affect MFPs from Fujifilm, Ricoh, Toshiba and Konica Minolta. Firmware updates are available for all of the machines.
Shocking: Crypto wallet maker targeted by scammers
Trezor, makers of a hardware wallet for cryptocurrency owners, has warned of phishing scams targeting its customers that “appear as legitimate Trezor support replies,” but are anything but.
Hardware wallets, for those unfamiliar, are USB devices users can employ to secure their cryptocurrency codes on an air-gapped piece of equipment, which criminals cannot attack over a network.
Savvy scammers have figured out how to abuse Trezor’s contact form to send phishing emails, the company warned.
While Trezor didn’t share many details of the incident, it said that “the issue has been contained,” and warned users to beware supposed Trezor employees asking for copies of backup codes.
“NEVER share your wallet backup — it must always stay private and offline,” the company said in a tweet. “Trezor will never ask for your wallet backup.”
Google Gemini is here to help – like it or not
On Monday, July 7, Android users will be able to access new features from Google’s Gemini AI assistant, regardless of whether they disabled such capabilities in the past.
Android Authority last week reported users of Google’s mobile OS have begun receiving emails from Google stating that the company was going to enable new Gemini features to “help you use Phone, Messages, WhatsApp, and Utilities on your phone, whether your Gemini Apps Activity is on or off.”
Google also reportedly told users that they could disable the new features in app settings, but provided no instructions for how to find the settings and what to change.
When approached for comment, Google’s response to Android Authority wasn’t the most reassuring.
“This update is good for users,” the Chocolate Factory said, explaining to the publication that it would allow Gemini to do things like send messages, make phone calls, and set timers even when App Activity was toggled off.
Those that leave App Activity toggled off won’t have their Gemini chats used to train Google AI models, Google added, so relax: Your Android device is just as privacy-conscious [Not!] as ever. ®
