No, I do not want to install your app.

No, I do not want that app to run on startup.

No, I do not want that app shortcut on my desktop.

No, I do not want to subscribe to your newsletter.

No, I do not want your site to send me notifications.

No, I do not want to tell you about my recent experience.

No, I do not want to sign up for an account.

No, I do not want to sign up using a different service and let the two of you know about each other.

No, I do not want to sign in for a more personalized experience.

No, I do not want to allow you to read my contacts.

No, I do not want you to scan my content.

No, I do not want you to track me.

No, I do not want to click "Later" or "Not now" when what I mean is NO.

At this rate MAGA will only be able to afford to rent the libs.

@TindrasGrove @adamshostack @SophosXOps Yes, but we try to identify the most granular method used given the evidence that's available to the responders. Since these are root causes, the most specific one gets listed. Think of it as compromised creds via phishing or via brute force.

Sometimes, all we know is the attacker used valid creds, by successfully logging into a VPN, but we don't know where the creds came from, so that's all we can say.

Today we released the 2025 Sophos Active Adversary Report (AAR), looking at data from 413 incident-response cases handled by our X-Ops MDR and IR teams in 2024. This edition of the report has a number of interesting findings, a vastly expanded dataset, and -- in honor of our fifth anniversary -- a gift for the curious. /1

https://news.sophos.com/en-us/2025/04/02/it-takes-two-the-2025-sophos-active-adversary-report/

The 2025 Sophos Active Adversary Report is out.

I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.

https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

Key take aways for me:

- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.

It is not hopeless and by active monitoring you *can* stop attackers.

@earthshine @GossiTheDog It's often abused to create multipart archives for easier exfiltration. If the org doesn't need to use WinRAR, in favour of built-in archiving tools, might as well block whatever you can. Reduces the attack surface.

@nopatience @argv_minus_one @GossiTheDog Agreed. There are very robust defensive controls that exist before you get to smart cards.

Over half of the orgs in the dataset are under 250 users. They don't have the time, money, or the expertise to deal with smart cards.

@RaulV @GossiTheDog This is mostly due to how data gets collected. We often don't get the opportunity to see all the logs (or sometimes any of them) for all the systems involved. So, the best we can say is compromised credentials. Attacker walks in the front door with a valid u/p. It's important to stick with what you can prove.

Another aspect to this are IABs and infostealers. The creds could have been stolen ages ago but get abused months later. We have seen those cases and we do attribute them to phishing when we can. But again, missing logs (47%) are a problem. For example, log retention is the #3 reason for missing logs in this dataset.

Your shock is not misplaced. I think the real percentage is a lot higher, but again, we're constrained by the data available to our responders.

@chetwisniewski Sure, but do you have any idea how many millions I've gotten in SBA loans?

@GossiTheDog

@GossiTheDog The big consulting firms especially love this. The can spin up new consultancies, mint a fresh batch of partners, and charge a premium for a bunch of hand wavy advice and "thought leadership."

Always great to hear @fs0c131y share his perspectives on cybersecurity. #SophosDay2023

@chetwisniewski Because capitalism? The worst offenders will find a way to evade the tax while somehow making the problem worse, and the consumer will likely end up paying more for less.

@threatresearch You're not alone. Got the same thing, but with different topics back in March. They aren't even doing a modicum of research into their targets. I've never publicly spoken on ciphers of any kind, why start now? Promptly ignored.

On this day, ten years ago, the progenitor of ransomware, CryptoLocker, was allegedly released. Despite being relatively short-lived, CryptoLocker provided a blueprint for countless clones that have cost businesses billions of dollars since.

While it's not an anniversary to celebrate, it's undoubtedly one of the most important inflection points in the monetization of cybercrime.

#CryptoLocker #ransomware #Cybersecurity

Perfect headline. No notes.

Coincidence?

Rep. Sherman's turn. He has not been quiet in the past about his distaste for crypto.

"My fear is that we'll view Sam Bankman-Fried as just one big snake in a crypto garden of Eden. The fact is, crypto is a garden of snakes."

#FTXhearing