Travel on the Cyber Express

As cyber threats grow, the United Arab Emirates (UAE) is stepping up, fast. The country’s cybersecurity market is projected to hit US$543.47 million by 2025, with Security Services alone expected to account for over US$294 million. This growth signals more than just investment; it reflects a national push to build a future-ready digital defense system. At the heart of this transformation are women leaders who are redefining what cybersecurity leadership looks like. Whether advising global enterprises, leading incident response, or shaping national policy, these 25 women are not just part of the conversation—they are driving it. Here’s a look at the women powering the UAE’s cybersecurity rise in 2025. Dee Deu CISSP, Director of Information Security, Chalhoub Group Dee Deu is a seasoned cybersecurity leader with over 18 years of experience across industries like banking, retail, insurance, and real estate. At Chalhoub Group, she leads information security strategy and governance, helping to build strong privacy and risk management programs. Dee is known for her people-first approach and ability to engage teams, stakeholders, and suppliers to drive security transformation across the business. She combines technical know-how with leadership to deliver results and create a culture of cyber awareness. Dee’s passion for knowledge-sharing and transparency has made her a respected voice in the industry. Her achievements include being named ‘CISO of the Year’ at the Cyber Security Awards in 2019 and making it to the SC UK list of the 50 Most Influential Women in Cybersecurity. Hessa Almatrooshi, Director of Information Technology – Acting, Ajman Free Zone (AFZ) Hessa Almatrooshi has over a decade of experience in cybersecurity and IT leadership. She started her career at Ajman Free Zone in 2011, working in IT infrastructure and helpdesk support. In 2018, she moved into cybersecurity, leading key security initiatives across the organization. Her expertise includes ISO 27001, ISO 20000-1, and risk management. Hessa holds certifications like CISSP, MCTP, and ITIL, showing her strong commitment to continuous learning. Known for her collaborative leadership style, she focuses on building strong teams and promoting security awareness. Hessa is passionate about solving problems and driving innovation in cybersecurity. Eman Al Awadhi, Vice President – Network and Cyber Security, Expo City Dubai Eman Al Awadhi is the Vice President of Network and Cyber Security at Expo City Dubai. She leads key areas including network infrastructure, cybersecurity, physical security tech, and tech innovation. Eman played a major role in protecting the digital systems of Expo 2020, where she built one of the most advanced cybersecurity frameworks for a World Expo. With over 16 years of experience, she started her career as a Network Security Engineer at UAE’s Computer Emergency Response Team. Eman is known for blending technical expertise with strategic thinking to drive innovation and secure smart city technologies. She is a public speaker, mentor, and instructor in cybersecurity, often seen representing Expo City on global platforms. Eman also works with institutions like AIT and WINS and serves on advisory boards of leading universities in the UAE. She holds degrees from the American University of Sharjah and Khalifa University. Seema Sharma, Head of Information Security, Wio Bank Seema Sharma is the Head of Information Security at Wio Bank. With years of experience in cybersecurity, she is known for building strong security teams and driving impactful strategies. Her core strengths include risk and compliance, data privacy, DevSecOps, and cloud security. Seema also leads security incident response and business continuity efforts. She brings a hands-on approach to security engineering and threat management, making her a trusted leader in the banking sector. Her work ensures that Wio Bank stays secure, resilient, and ready for the future. Heide Young, Manager Cyber Strategy & Engagement, NEOM Heide Young leads Cybersecurity Strategy & Engagement at NEOM Tech & Digital. She focuses on building future-ready security programs and driving secure-by-design practices in the region’s cognitive city ecosystem. Heide is a Founding Partner and Board Member at Women in Cyber Security Middle East (WiCSME), where she works to advance and support women in the field. She also serves as a Global Ambassador for the Global Council for Responsible AI. Known for her thought leadership in cyber strategy, digital trust, and ethical AI, Heide has received several global recognitions, including being named Top Cybersecurity Woman of the World in 2023 and 2024. She is also listed among the Top 10 Tech Leaders in the Middle East and the 100 Most Inspirational Women in Cyber. Heide often speaks at global forums, sharing insights on responsible innovation and emerging technologies. Mouza Al Romaithi, Director – Information & Cybersecurity,  ADQ Mouza Al Romaithi is the Director of Information and Cybersecurity at ADQ. With over 16 years of experience, she has played a key role in building and strengthening ADQ’s cybersecurity strategy. Her work focuses on protecting systems and data against evolving cyber threats. Mouza also brings her expertise to the boardrooms of TAQA and Pure Health, where she serves as a board member. She is known for her leadership, strategic thinking, and hands-on approach to tackling cybersecurity challenges. She holds a master’s degree in Cybersecurity and a bachelor’s degree in Network Systems, both from Zayed University. Mouza continues to be a strong voice in the UAE’s cybersecurity landscape. Sara Khalid Mohamed Alhosani, Director – Cyber Threat Intelligence Division (Gov Information Security), Department of Government Enablement Sara Khalid Mohamed Alhosani is the Director of the Cyber Threat Intelligence Division at the Department of Government Enablement, Abu Dhabi. With over a decade of experience in government cybersecurity, she specializes in cyber threat intelligence, threat modeling, and proactive defense strategies. Sara holds a Master’s degree in Information Security from Zayed University and is certified as a Certified Threat Intelligence Analyst (CTIA) and CRISC, among others. She has previously served as Chief Information Security Officer at Abu Dhabi Digital Authority, driving cyber resilience and cross-government collaboration. Sara is a sought-after public speaker on cybersecurity, actively shaping Abu Dhabi’s digital security posture. Dr.Hoda A.Alkhzaimi, Associate Vice-Provost for Research Translation and Entrepreneurship at New York University Abu Dhabi Dr. Hoda A. Alkhzaimi began her career in sovereign wealth funds, working on long-term investments in science, technology, and industry. At NYUAD, she leads programs that connect research with business, aiming to create real-world impact. Dr. Hoda advises major global bodies like the World Economic Forum, BRICS, and G20 on emerging technologies and innovation. She also works closely with companies like Jaguar Land Rover and Tata Group. With multiple degrees in law, computer science, cryptology, and business from top global universities, she brings deep technical and strategic knowledge. A strong advocate for women in STEM, she leads several global and regional women-in-tech organizations. Her work reflects a unique blend of technical expertise, policy insight, and a passion for empowering future leaders. Linoy Kidd, GBM MENAT CIO Linoy Kidd is the Chief Information Officer for Markets & Securities Services at GBM MENAT. With 18 years at HSBC, she has held senior roles across five countries — the UK, Hong Kong, China, Mexico, and the UAE. Known for her strong leadership, she has built and led teams across global markets. Outside work, Linoy is passionate about giving back. She has helped build eight schools in Africa, Haiti, and Nicaragua, and even built a home for the homeless in Mexico. Her professional strengths include foreign exchange operations, market risk, project management, business analysis, and electronic trading. Linoy is admired for combining global banking expertise with a deep commitment to social impact. Khulood Alawadhi, Director – Advanced Technology Services, Moro Hub Khulood Alawadhi is the Director of Advanced Technology Services at Moro Hub, where she leads AI-driven solutions, digital transformation projects, and data services. With 18 years of experience, she has played a key role in shaping Dubai’s tech ecosystem, especially across government and critical infrastructure. Khulood is known for her hands-on leadership and her ability to get things done—her personal motto. She has been part of several award-winning teams at DEWA and continues to guide innovative initiatives in the region. In 2024, she was named “The Most Innovative Transformational Women Leader” by Berkeley Middle East. She also serves on the Product Advisory Board for DataRobot in Emerging Markets and mentors tech talent through programs like the Dubai App Olympics. Khulood stands out for her passion, impact, and clear focus on outcomes in a fast-changing digital world. Shamma Bin Hammad, Senior Cybersecurity Assurance Analyst, Emirates Shamma Bin Hammad is a dedicated cybersecurity professional focused on protecting critical infrastructure. She specializes in vulnerability management and cybersecurity awareness programs that help organizations stay ahead of threats. At Emirates, she plays a key role in improving the overall security posture through continuous monitoring and risk mitigation strategies. Shamma is known for her ability to translate complex cybersecurity issues into practical actions. Her efforts have strengthened digital defenses and built a strong culture of awareness within her organization. With a clear vision and hands-on approach, she continues to contribute to a safer cyber environment across the UAE. Sofia Scozzari, CEO (Chief Executive Officer) and Founder, Hackmanac Sofia Scozzari is an Italian tech expert with over 30 years in ICT and more than 18 years in cybersecurity. She started her career as a system administrator and went on to lead teams as a cybersecurity manager and CEO of an ICT security firm. In 2017, she moved to Dubai and launched Hackmanac, a company focused on strategic cyber threat intelligence. Sofia is part of the steering committee at Clusit and Women For Security and helps coordinate the Cyber Think Tank at Assintel. She’s been co-authoring the Clusit Report since 2012 and leads the Hackmanac Global Cyber Attacks Report. Sofia also writes articles, creates cybersecurity guides, and speaks at global events. Her work focuses on raising cybersecurity awareness and supporting women in the field. Leen AlHalabi, Associate Principal Cybersecurity Consultant, Dragos, Inc. Leen AlHalabi is an Associate Principal Cybersecurity Consultant at Dragos, Inc. She specializes in industrial cybersecurity and works closely with clients to assess architectures, analyze network vulnerabilities, and perform compromise assessments. Her work also includes PCAP analysis and consequence-driven modeling. Leen began her career as an automation engineer, where she commissioned DCS and SCADA systems across various industries. Over time, she transitioned into OT/ICS cybersecurity, taking on responsibilities such as firewall configuration, endpoint security, backup and recovery planning, and system hardening. With hands-on experience in both engineering and cybersecurity, Leen brings a strong technical background to her role. Her expertise helps critical infrastructure organizations strengthen their defenses and respond to emerging threats effectively. Leen is passionate about securing operational environments and continues to contribute to the field through her work at Dragos. Nisha Rani, Chief Information Security Officer, Emirates Leisure Retail Nisha Rani is the Chief Information Security Officer (CISO) at MMI ELR and a well-known name in the UAE’s cybersecurity space. She brings years of experience in information security, IT governance, and risk management. At MMI ELR, she leads the efforts to protect critical systems and ensure compliance with security standards. Nisha is not just focused on building strong cyber defenses — she’s also passionate about supporting young professionals in the field. She regularly mentors upcoming talent and actively promotes women’s participation in tech and cybersecurity. Her work is helping create a safer and more inclusive digital environment in the region. Jumanah Kadri, Senior Specialist – Technology Governance, Fintech – Financial Services Regulatory Authority, ADGM Jumanah Kadri is a seasoned Information Security professional with over a decade of experience in cybersecurity and technology governance. She currently serves as a Senior Specialist in Fintech at the Financial Services Regulatory Authority, ADGM. Jumanah holds 17 IT certifications and has completed a program in Information Security Risk Management from Harvard University. Her expertise lies in information security strategy, governance, and performance management. She also holds a Master’s degree in Blockchain and Digital Currencies, reflecting her deep interest in digital transformation. Known for her clear communication style, Jumanah is a regular speaker on topics like cybersecurity, blockchain, and risk management. Her work blends technical strength with a strategic mindset, making her a recognized leader in the UAE’s cybersecurity landscape. Noura A, Director of Digital and Technology Services, Masdar (Abu Dhabi Future Energy Company) Noura A. is a cybersecurity and IT leader currently serving as Director of Digital and Technology Services at Masdar. She brings years of experience in driving digital transformation and aligning technology strategies with business goals. Known for her strong mix of technical expertise and leadership, Noura helps organizations stay ahead by adopting emerging technologies and improving operational efficiency. She is passionate about building high-performing teams, engaging stakeholders, and ensuring governance and compliance across IT functions. Noura leads efforts to protect critical information assets, using a hands-on approach to cybersecurity. Her focus lies in enhancing system architecture, streamlining processes, and promoting innovation. With a deep commitment to excellence, she continues to shape the future of digital and cybersecurity strategy in the UAE. Hannah Suarez, CISO, Loyalty Status Co Hannah Suarez is a cybersecurity leader with nearly a decade of experience across startups and large enterprises in telecom, entertainment, marketing, airlines, and tech. As the CISO at Loyalty Status Co, she leads information security and compliance programs, helping protect data and systems at scale. She has worked on multi-million-dollar cyber risk projects impacting millions of users. Hannah brings deep expertise in policy development, security training, risk analysis, and frameworks like ISO, SOC, NIST, and SOX. A global professional, she has lived and worked across five countries and is passionate about empowering teams and sharing knowledge through public speaking and her volunteer work with ISC. Dr. Yasmin Razack, CISO at MAVEN INTERNATIONAL Dr. Yasmin Razack is the Chief Information Security Officer at MAVEN INTERNATIONAL, bringing over 25 years of expertise across IT, fintech, and airline sectors. With a doctorate in Cybersecurity from the University of Fairfax, she specializes in IT Governance, Risk and Compliance (GRC), Cloud Security, and emerging technologies like blockchain. Yasmin is a certified ISO Lead Auditor and Lean Six Sigma Black Belt, known for driving cybersecurity strategy, risk management, and service improvements in mission-critical environments. Passionate about research and education, she also serves as an Adjunct Professor at Manipal Academy of Higher Education in Dubai. Alya Al Marzooqi, Group Digital Risk Management and Compliance Manager, ADNOC Group Alya Al Marzooqi is a seasoned cybersecurity leader with strong roots in the oil and gas sector. At ADNOC Group, she leads digital risk and compliance initiatives, ensuring resilience across critical operations. With experience spanning government, engineering, financial services, and manufacturing, she brings a broad perspective to every challenge. Alya is known for her sharp leadership, clear communication, and ability to work across multidisciplinary teams. She has successfully managed security programs for global organizations in diverse sectors like FMCG, retail, and IT services. Her work continues to shape robust cybersecurity practices in high-risk industries. Irene Corpuz, Founding Partner and Head of Governance & Communications, Women in Cyber Security Middle East Irene Corpuz is a well-known cybersecurity leader in the Middle East. She is passionate about building safer digital ecosystems and preparing organizations for the future of AI and quantum technologies. Irene is a Founding Partner of Women in Cybersecurity Middle East (WiCSME), where she helps create opportunities for women in the field. She also serves on the Strategic Steering Committee at the Global Forum on Cyber Expertise (GFCE), working with global partners to improve cyber capacity and tackle emerging threats. Irene’s strengths lie in cyber policy, AI, quantum governance, and thought leadership. She regularly shares insights on the future of cybersecurity and was named one of the Top 20 Cybersecurity Women of the World in 2024. Through her work, she continues to drive innovation and inclusion across the cybersecurity landscape. Rajvi Modi, Information Security Manager, Banque Misr UAE Rajvi Modi is an experienced cybersecurity professional with over 10 years in the field. She has worked across multiple industries, including finance, FMCG, aviation, and pharmaceuticals. Her core strengths lie in risk assessment, data protection, compliance, and vulnerability management. Rajvi has led several global projects, performing security audits and ensuring alignment with frameworks like ISO 27001, PCI DSS, and GDPR. She is skilled in cloud platforms such as Azure and AWS and has hands-on expertise in tools like Nessus, Burp Suite, and Qualysguard. Her broad technical knowledge and deep understanding of regulatory requirements make her a trusted leader in the UAE’s cybersecurity landscape. Siham Benhamidouche, VP cybersecurity and data risk, Digital Customer Relations, Schneider Electric Siham Benhamidouche is the Vice President of Cybersecurity and Data Risk for Digital Customer Relations at Schneider Electric. She leads the cybersecurity strategy for the region, focusing on digital risk management. Her work covers key areas like cyber risk, data privacy compliance, and PCI-DSS standards. With a strong background in digital trust and governance, Siham plays a critical role in ensuring secure and compliant digital experiences for Schneider Electric’s customers. She is also passionate about creating awareness around cybersecurity best practices in the business landscape. Badreya AlMehairi, AVP Senior Manager – Data privacy- Information Security, Mashreq Bank Badreya AlMehairi is a seasoned cybersecurity leader at Mashreq Bank. She is certified in CISSP, ISO 27001, and ISO 22301, and brings strong expertise in data privacy, information security, and business continuity. Badreya leads security planning, risk assessments, and incident response. She holds a Master’s degree in AI, Knowledge Management, and Data Analysis. Her background includes deep knowledge of network security, vulnerability management, and threat mitigation. Known for her hands-on approach and leadership, she excels at aligning security processes with business goals. Badreya is passionate about securing digital ecosystems while promoting a culture of cyber resilience. Sheeba Sultan Hasnain, Chairwoman & CIO, Sentiente Sheeba Sultan Hasnain is a seasoned tech leader with over 20 years of experience in IT, AI, and cybersecurity. As Chairwoman and CIO of Sentiente, she drives digital transformation while championing responsible AI and women in tech. Throughout her career, Sheeba has taken on multiple leadership roles, including CIO, CISO, programmer, and strategist, building strong IT operations and leading major AI projects. She’s a passionate public speaker and mentor, especially focused on empowering women and mothers in tech. Through her “Women Empowering Women” initiative, she shares stories of strength and innovation. Her work has earned her recognition through several awards, including the Visionary AI Leader Award and Global CIO & CISO honors. Sheeba believes in purpose-led innovation, inclusion, and tech that drives real impact. Lorna Trayan, Sr. Executive Partner, CISO Advisor, Gartner Lorna Trayan is a seasoned cybersecurity advisor with over 20 years of experience. At Gartner, she serves as a Senior Executive Partner and CISO Advisor, having worked closely with more than 65 CISOs across the GCC, Europe, and the UK. She is known for helping leaders simplify complex security issues and make informed decisions. Lorna often speaks at industry events and leads awareness sessions for boards and executive teams. Her strength lies in making cybersecurity practical, clear, and aligned with business goals. Conclusion As the UAE rapidly advances its cybersecurity capabilities, these 25 women stand at the forefront, leading strategy, shaping policy, and securing the future. Their diverse expertise and visionary leadership not only reflect the country’s digital ambitions but also redefine what it means to be a cybersecurity leader in today’s digital world. The path ahead is digital, and these women are making sure it’s secure.

Patch Tuesday for July 2025 was the busiest day for Microsoft fixes since January, with 130 Microsoft CVEs patched – including 17 ones at high risk for exploitation. July’s total also included 10 non-Microsoft CVEs. In all, Microsoft Patch Tuesday July 2025 was twice the size of June’s patch total, and the biggest month for Microsoft CVEs since January’s 159. High-Risk Flaws in Microsoft Patch Tuesday July 2025 The highest-rated vulnerability for July is a 9.8-severity remote code execution (RCE) flaw affecting Windows 10, version 1607 and above. CVE-2025-47981 affects SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, and is a heap-based buffer overflow vulnerability caused by a Group Policy Object (GPO) enabled by default on these operating systems: “Network security: Allow PKU2U authentication requests to this computer to use online identities.” An attacker could exploit the vulnerability by sending a malicious message to the server, potentially leading to remote code execution, Microsoft said. Microsoft Office and SharePoint each had two high-risk RCE vulnerabilities. CVE-2025-49695 is a Use After Free vulnerability in Microsoft Office, while CVE-2025-49696 is an Out-of-bounds Read/Heap-based Buffer Overflow in Office. Both vulnerabilities are rated 8.4 and could allow an attacker to achieve remote code execution without user interaction. Security updates for Microsoft Office LTSC for Mac 2021 and 2024 are not yet available and will be released as soon as possible. CVE-2025-49701 is an 8.8-severity Improper Authorization vulnerability in SharePoint, and CVE-2025-49704 is a Code Injection vulnerability in SharePoint that’s also rated 8.8. Other vulnerabilities deemed more likely to be exploited include: CVE-2025-49724, an 8.8-rated Windows Connected Devices Platform Service Remote Code Execution vulnerability CVE-2025-49735, an 8.1-severity Windows KDC Proxy Service (KPSSVC) Remote Code Execution vulnerability CVE-2025-47978, a 6.5-severity Windows Kerberos Denial of Service vulnerability CVE-2025-47987, a 7.8-rated Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege vulnerability CVE-2025-48799, a 7.8-rated Windows Update Service Elevation of Privilege vulnerability CVE-2025-48800, CVE-2025-48001, CVE-2025-48804 and CVE-2025-48818, all 6.8-severity BitLocker Security Feature Bypass vulnerabilities CVE-2025-49718, a 7.5-rated Microsoft SQL Server Information Disclosure vulnerability CVE-2025-49727, a 7.0-severity Win32k Elevation of Privilege vulnerability CVE-2025-49744, a 7.0-rated Windows Graphics Component Elevation of Privilege vulnerability Other IT Vendors Issuing Patch Tuesday Updates Microsoft isn’t the only IT vendor issuing updates on the second Tuesday of the month. Other vendors releasing updates and patches in the last day have included: AMD Fortinet Google Android Ivanti SAP  

Cyble threat intelligence researchers identified a phishing campaign aimed at Hungarian government targets that further investigation revealed was connected to wider global attack campaigns targeting the banking and logistics sectors. The initial phishing link discovered by the researchers led to a fake login page for HunCERT, Hungary’s Computer Emergency Response Team, Cyble said in a blog post today. The link prefilled the username field with the victim’s email address to increase the chances that the user would submit their credentials. The phishing links were built using the LogoKit phishing kit, Cyble determined. The phishing pages were hosted on Amazon S3 (AWS) “to stay under the radar and increase credibility among potential victims,” Cyble said. The pages also integrated Cloudflare Turnstile to further the sense of legitimacy. Those features may have helped the domain harvesting the credentials from being discovered, because the researchers found zero detections on VirusTotal during their work. LogoKit Phishing Kit Behind Multiple Attack Campaigns Cyble Research and Intelligence Labs (CRIL) researchers said the phishing URLs used in the campaign used a legitimate HunCERT email address prefilled in the username field. Cyble included two phishing URLs used in the campaign: flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1vRzW3L7XpK0Mb9CfN6hJ2sUYgZAxewoQpHDVlt5BmnEjOrGiScFuYXdAv349/he-opas.html?email=cert@govcert.hu flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1vRzW3L7XpK0Mb9CfN6hJ2sUYgZAxewoQpHDVlt5BmnEjOrGiScFuYXdAv349/he-opas.html?email=csirt@nki.gov.hu The phishing page was designed “to closely resemble a legitimate login portal,” Cyble said, and the Cloudflare Turnstile verification “may deceive users into believing the page is secure” (image below). Phishing page targeting HunCERT (Cyble) A fake error message then tells victims, “Error Submitting form. Please try again.” The phishing site uses the Clearbit Logo API to fetch the logo from the domain of the targeted organizations, Cyble said, and the Google S2 Favicon retrieves the Favicon icon by extracting the domain from the email address in the URL. The widely used LogoKit phishing kit leverages “URLs embedded with the victim’s email address, identical layouts, and real-time logo fetching from services like Clearbit and Google’s favicon API,” the researchers said. “LogoKit remains actively used in phishing campaigns because of its simplicity and automation,” Cyble said. “By automatically retrieving branding icons based on the URL’s domain, threat actors avoid the need to manually locate and update icons or logos within the phishing kit, making the process more scalable, convincing, and efficient.” Victim credentials are sent to mettcoint[.]com/js/error-200.php. The researchers found an open directory path in mettcoint[.]com that contained several php files and attack elements, and one of the directories contained a phishing page impersonating the WeTransfer file-sharing portal. OSINT intel revealed that the domain mettcoint[.]com has been used in other phishing attacks. Other targets in the ongoing phishing campaign have included Kina Bank in Papua New Guinea, the Catholic Church in the United States, and logistics companies in Saudi Arabia. mettcoint[.]com was registered in October 2024 and has been actively leveraged in phishing campaigns since February 2025, Cyble said. “Notably, the domain currently has zero detections on VirusTotal, allowing it to operate stealthily,” Cyble said. “As of this writing, the domain is still live and functional. Its ongoing availability and undetected status indicate that the phishing campaign is likely still active, with threat actors continuing to target victims on a global scale.” Protecting Against Phishing Attacks Cyble said the mettcoint phishing campaigns reveal a major weakness in cybersecurity defenses. “The human element remains both the strongest and weakest link in cybersecurity, with cautious and responsible use preventing compromises by cyber threats,” the researchers wrote. “Campaigns such as this, however, exploit that element by appearing credible, making them a primary concern for even cyber-savvy employees.” In addition to a threat intelligence solution that can automatically identify and block threats, Cyble said there are additional cybersecurity best practices that can help stop phishing attacks. Those practices include: Being wary of links received via SMS or emails Using good antivirus and internet security software on all connected devices Educating employees on how to protect themselves from threats like phishing and untrusted URLs Using secure email gateways to detect and block phishing emails with malicious links or attachments Using multi-factor authentication (MFA) to limit exploitation of stolen credentials Monitoring for unusual login behavior or access from suspicious IP addresses Keeping devices, operating systems, and applications updated.  

The global cybersecurity community is gearing up for Black Hat USA 2025, one of the industry’s most awaited events. The six days program, August 2 to 7, 2025, returns once again to the Mandalay Bay Convention Center in Las Vegas. Suraksha Catalyst, in collaboration with The Cyber Express, will be launching an on-site podcast series broadcast live from the event floor. This exclusive on-site Suraksha Catalyst and The Cyber Express podcast series will be hosted by Paul Shread, the International Editor at The Cyber Express, which will provide a fresh platform for candid and thought-provoking conversations. It will feature insights from cybersecurity leaders, CISOs, researchers, and visionaries working at the forefront of today’s evolving threat landscape. Suraksha Catalyst in Collaboration with TCE Brings Live Podcast Series What makes this podcast series different? At its core, this is more than just another set of interviews, it’s an intentional effort to create a space for unscripted, insightful, and authentic conversations around cybersecurity challenges, leadership struggles, and innovation in cyber strategies. The initiative is led by Suraksha Catalyst, which has been instrumental in building a strong bridge between cybersecurity leaders in India and the US. Working with over 500 CISOs, industry bodies, and investors, Suraksha Catalyst brings a unique Indo-American perspective to the table—one grounded in collaboration, insight-sharing, and real-world problem-solving. The cybersecurity industry often operates behind a curtain. Issues are tackled quietly, strategies are developed behind closed doors, and many of the most difficult decisions never come into public view. This podcast series is designed to change that. Spotlight on Emerging Cyber Threats and CISO Challenges Each podcast episode will delve deep into a range of timely topics—from the evolving threat landscape and the rise of AI-driven attacks to the everyday realities that security leaders deal with across sectors. Participants will be encouraged to share insights on: Emerging and persistent cyber threats affecting global enterprises The invisible load CISOs carry, including regulatory pressures, burnout, and leadership conflicts The shift in cyber defense strategy, from reactive responses to proactive, intelligence-led approaches Balancing innovation with security in an increasingly cloud-native, decentralized world Importantly, the series will not just be about technicalities—it will address the human side of cybersecurity: the decision-making, the ethics, the failures, and the lessons learned. Why It Matters Now Cybercrime is growing fast. According to Statista, global losses are expected to grow from $9.22 trillion in 2024 to $13.82 trillion by 2028. Security leaders are under pressure to act faster and make critical decisions, often in isolation. At the same time, digital transformation and geopolitical tensions are reshaping the cyber risk landscape. Traditional conversations around cybersecurity are no longer enough. What’s needed now is honest, peer-led dialogue that addresses both emerging threats and internal challenges. That’s where the Suraksha Catalyst x The Cyber Express podcast comes in. Set against the backdrop of Black Hat USA 2025, this on-site recorded series offers more than discussion—it’s a platform for real stories from the frontlines. These conversations aim to surface the realities that rarely make it to public forums—burnout, breach fatigue, regulatory pressure, and the evolving CISO role. By capturing these voices live in Las Vegas, the series will cut through the noise and share insights that can influence boardrooms, policies, and practices worldwide. How to Be Part of the Conversation Participation in the podcast is open to CISOs, senior security leaders, researchers, and innovators attending Black Hat USA 2025. Those interested can express their interest by reaching out to the team in advance to schedule a recording slot. To join the conversation: Mrinalinee Singh (Suraksha Catalyst) – milee@surakshacatalyst.com Samiksha Jain (The Cyber Express) – samiksha.jain@thecyberexpress.com Each episode will later be published across The Cyber Express’s digital channels and shared through Suraksha Catalyst’s network, allowing insights from the heart of Las Vegas to travel across global boardrooms, policy tables, and SOC centers. A Movement, Not Just a Media Moment As cybersecurity matures, the need for new formats of leadership engagement is clear. The Suraksha Catalyst and The Suraksha Catalyst and Cyber Express podcast series at Black Hat USA 2025 is not just a one-off event, it’s a signal of what’s needed next: more open dialogue, more shared experiences, and more honest storytelling. In a field where silence often dominates over transparency, this initiative dares to ask: what if we just talk? Let’s find out—live from Las Vegas.

In a world where your next-day delivery could hinge on lines of code and machine learning algorithms, logistics is no longer just about moving goods, it’s about moving data securely. The global supply chain has become both a marvel of AI-powered efficiency and a high-value target for cybercriminals.  In 2024 alone, over 183,000 customers were affected by supply chain cyberattacks worldwide, a sharp contrast from the staggering 263 million impacted in 2019, yet still a sobering reminder that cyber threats are evolving, not disappearing. From counterfeiting to malware infections and drive-by compromises, the logistics sector has become a digital battlefield.  Meanwhile, AI’s footprint is growing fast, the cargo drone market alone is projected to hit $17.88 billion by 2030, fueled by AI’s promise of faster, smarter, and more autonomous delivery systems. But this raises a critical question: Will AI drive the next wave of innovation in logistics, or open new doors for cyber threats to exploit?  To learn more about this evolving landscape, The Cyber Express sat down with Dhruvil Sanghvi, Founder and CEO of LogiNext, a global leader in AI-driven logistics automation. In this wide-ranging conversation, Sanghvi delves into emerging cyber risks, why automation must be built with security at its core, and how different regions are tackling the cybersecurity puzzle in their own unique ways.  The Rise of AI and the Growing Threat Landscape  With the rapid adoption of AI in logistics, one might assume that technology is the answer to most operational problems. However, Sanghvi offers a measured perspective.  “The more interconnected and intelligent supply chains become, the more vulnerable they are to attack vectors that exploit those very integrations,” he says.  I see the highest risks in API vulnerabilities, unsecured IoT devices across fleet networks, and AI models being fed malicious or manipulated data. Threat actors no longer just target servers, they aim for the data pipelines and learning systems themselves.”  Indeed, as companies push for seamless data flows, faster decision-making, and end-to-end visibility, every integration becomes a potential point of entry for cybercriminals.  Building Security into Automation  Automation is now table stakes in logistics. From warehouse robotics to predictive route planning, the industry thrives on operational speed. But what happens when security takes a backseat?  “Efficiency and security aren’t mutually exclusive, they must be engineered together,” Sanghvi insists. “At LogiNext, we’ve built automation workflows that are permission-controlled and fully auditable. Automation without guardrails leads to incidents like the 2017 Maersk ransomware attack, which paralyzed global shipping. We believe automation should accelerate compliance, not bypass it.”  This philosophy of “secure automation” is gradually being adopted across the logistics landscape. Companies are increasingly embedding cybersecurity principles into their DevOps pipelines, ensuring that automation doesn’t equate to exposure.  AI in Threat Detection: Early Radar, Not Autopilot  The cybersecurity community has been abuzz with the potential of AI to detect and mitigate threats before they escalate. But can AI be trusted as the first, and only, line of defense?  AI is essential for real-time anomaly detection and predictive threat intelligence,” says Sanghvi.   “While traditional systems wait for a signature, AI can detect patterns and proactively raise red flags. That said, it’s not yet mature enough to act without human validation in high-stakes environments. We see AI as the early-warning radar; human judgment is still the command center.”  AI’s strength lies in its ability to parse enormous volumes of data and identify unusual behavior patterns that traditional tools often miss. But over-reliance without proper oversight could lead to false positives, or worse, missed attacks.  One Size Doesn’t Fit All  Operating across the US, UAE, and India, LogiNext has a global footprint, which gives Sanghvi a unique lens on how cybersecurity threats, and responses, differ across borders.  “In the US, the emphasis is on regulatory compliance: SOC2, ISO/IEC 27001, CCPA,” he explains. “In the UAE, there’s a stronger focus on infrastructure control and national security. In India, the challenge is scale: protecting millions of endpoints at low cost. Each region requires a tailored strategy, but one thing remains universal: ransomware doesn’t respect borders.”  This underlines the importance of localized cyber strategies that account for not just the technological landscape, but also regulatory frameworks and threat actor behaviors.  Data Protection in the Logistics Sector  “Data is the new oil” has become a truism in technology circles, but nowhere is it more evident than in logistics. Route data, customer information, delivery schedules, and warehouse analytics—all of it is prime target material.  “Encryption (in transit and at rest) is table stakes. Role-based access, frequent token refreshes, and audit logs are the next layers,” Sanghvi explains. “At LogiNext, we also leverage anomaly detection algorithms that monitor abnormal location pings or route deviations.”  These protocols have paid off. “Our platform has maintained a 99.96% uptime on web apps and a 99.67% crash-free rate on mobile—proof that stability and security can go hand in hand,” he adds.  Business Continuity in the Face of Cyber Disruption  Cyberattacks on logistics firms don’t just affect one company, they ripple across industries. A delay in the delivery of semiconductors or medical supplies can have wide-reaching consequences.  “Redundancy across infrastructure, distributed data centers, and zero-trust frameworks are non-negotiable,” says Sanghvi. “The 2025 Oracle Clouds’ security breach reminded the industry that centralized failures hurt everyone in the supply chain. At LogiNext, we’ve architected our systems for high availability across regions with real-time failover and backup strategies. We simulate attack scenarios regularly to pressure-test our preparedness.”  The lesson is clear: resilience needs to be proactive, not reactive.  Cybersecurity and Startups: Still an Afterthought?  As an investor and mentor to several tech startups, Sanghvi has seen how early-stage companies often neglect cybersecurity.  “Unfortunately, many still see it as a Series B problem rather than a seed-stage priority. Founders must internalize that every line of code is a potential vulnerability,” he warns. “The best teams I’ve worked with are the ones who integrate security reviews into CI/CD and think about threat modeling even before launch.”  The shift toward “security-first startups” is slow, but vital, especially as more tech disruptors enter sensitive sectors like logistics, healthcare, and finance.  Closing the Gap Between Innovation and Enforcement  Is the regulatory environment keeping pace with the rapid innovation in AI and logistics tech?  “Regulations are catching up, but innovation still outpaces enforcement,” Sanghvi observes.   “What’s encouraging is the global shift toward data localization and mandatory breach disclosures. However, unless regulators work more closely with tech providers on standards, as aviation does with aircraft safety—we’ll always be reacting to the last breach, not preventing the next.”  It’s a call for collaborative regulation, where lawmakers and technologists co-design frameworks that anticipate risk rather than just respond to it.  The Blind Spot in Cyber Strategies  When asked about the most common mistake startups make, Sanghvi doesn’t hesitate: “They underestimate insider threats and over-focus on perimeter security. Access logs, permission hygiene, and behavioral monitoring are often ignored. And when startups do get breached, they lack a clear incident response plan, making recovery slower and costlier.”  Organizations must broaden their threat models to account for not just outside hackers, but also internal actors with privileged access.  Best Practices from Around the World  Having worked across continents, Sanghvi believes that some regions have lessons to offer others.  “The US culture of ‘security by design’ needs to be adopted more broadly. In India and the UAE, security is often retrofitted. Starting from secure architecture rather than patching it later makes systems more resilient. That mindset shift alone could prevent a significant chunk of vulnerabilities.”  Security as a Foundation, Not a Feature  When asked about his “aha” moment regarding cybersecurity, Sanghvi’s answer is revealing.  “Honestly, we never had an ‘aha’ moment. Security has always been a core principle at LogiNext since day one. In logistics, where systems are deeply interconnected and operate in real-time, we’ve always believed that even a minor breach can have outsized consequences.”  He adds, “High-profile incidents like the 2025 BlueYonder outage have only reinforced our conviction. Watching companies suffer ripple effects across industries due to avoidable security lapses validates the path we’ve taken, building with security as a foundation, not an afterthought.”  Autonomous AI Agents  Outside of corporate strategy, what tech is Dhruvil personally excited about? His answer reflects both enthusiasm and vision.  “I’m deeply excited about the rise of autonomous AI agents, especially their potential in operationalizing complex workflows without human intervention,” he says. “Tools like AutoGPT, Devin, and emerging enterprise-grade agents are redefining how we think about task delegation.”  He continues, “Imagine a logistics coordinator that never sleeps, learns from every delivery exception, and autonomously re-optimizes routes in real-time across cities. That’s no longer science fiction.”  Conclusion  The integration of AI in logistics is no longer a futuristic concept, it’s today’s reality. From autonomous drones to real-time tracking, AI is powering an industry that once ran on paper trails and manual schedules. But as the sector races toward automation, it must also confront an uncomfortable truth: innovation is outpacing security.  In 2023 alone, the FBI logged nearly 300,000 phishing incidents in the U.S., while tools like WormGPT have emerged as dark web alternatives capable of crafting highly convincing, malicious content. In logistics, these technologies pose real risks, not just to backend systems but to the very customers companies aim to serve. The ability of drones to record and transmit footage wirelessly, for instance, introduces new surveillance risks that few have begun to address seriously.  And the issue isn’t just about breaches or bots. It’s also about trust and experience. In the U.S., more than 40% of consumers reported dissatisfaction when interacting with AI-powered customer service tools. This suggests that while AI can mimic conversation, it hasn’t mastered context or empathy, both essential in high-pressure logistics scenarios where every delayed shipment or rerouted package can trigger a ripple effect.  To its credit, the industry isn’t standing still. We are beginning to see more holistic strategies, including threat modeling for AI systems, real-time anomaly detection, and regulatory frameworks aimed at closing the security gap. But these responses still feel fragmented and reactive. For a sector that operates 24/7 and spans continents, that’s not good enough.  As Dhruvil Sanghvi aptly pointed out, cybersecurity in logistics can’t be an afterthought. It needs to be designed into the system, not duct-taped on after a breach. And that mindset shift has to happen now, not when the next high-profile attack makes headlines.  AI will undoubtedly remain central to the future of logistics. But the question isn’t just what it can do—it’s how safely it can do it. Because when automation fails, it’s not just code that crashes—it’s confidence, continuity, and sometimes even commerce.  In the race toward a smarter supply chain, speed and security must run side by side. Anything less is a risk the industry can’t afford. 

Cisco has issued a new security advisory addressing a severe vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw, now identified as CVE-2025-20309, carries the highest possible CVSS score of 10.0. This Cisco vulnerability stems from static root account credentials embedded during the development phase, which were never removed or secured prior to product release. According to Cisco’s advisory, the root credentials are immutable, meaning administrators cannot change or delete them, leaving the systems vulnerable to unauthenticated, remote attackers. “This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,” the advisory noted. How the CVE-2025-20309 Vulnerability Works  An attacker could leverage CVE-2025-20309 to remotely log in as the root user without any authentication. Once inside, they gain unrestricted access, allowing them to execute arbitrary commands with full system privileges. The threat applies regardless of device configuration if the affected software version is in use.  The flaw was identified during internal security testing and not through a public exploit, and Cisco’s Product Security Incident Response Team (PSIRT) has stated that, as of the advisory release, there is no evidence of active exploitation in the wild. Affected Versions and Patch Details  The issue affects specific Engineering Special (ES) releases of Unified CM and Unified CM SME:  Versions 15.0.1.13010-1 through 15.0.1.13017-1 are confirmed vulnerable.  Only these ES releases, which are distributed through Cisco’s Technical Assistance Center (TAC), are impacted.  Cisco versions 12.5 and 14 are not affected by this vulnerability.  The first fixed release is 15SU3, available in July 2025, or users may apply the patch file: ciscocm.CSCwp27755_D0247-1.cop.sha512.  Cisco has not provided any workarounds, urging users to apply the patch or upgrade to the secure version immediately. The advisory clearly states that there are no mitigations other than upgrading.  Conclusion  The CVE-2025-20309 Cisco vulnerability highlights the serious security risks of leaving development-stage credentials in production environments. With no available workaround and the potential for attackers to gain full root access, Cisco strongly advises all users of Unified CM and Unified CM SME to apply the latest updates without delay.   Organizations should promptly verify their software versions, review SSH logs for signs of unauthorized root access, and upgrade to version 15SU3 or the appropriate patch. While no active exploitation has been reported, the critical nature and ease of exploitation make this vulnerability an urgent priority for IT and security teams across all sectors relying on Cisco’s communication systems. 

By Salleh Kodri, SE Regional Manager, Cyble  ASEAN is going full throttle on digital growth. From cross-border e-commerce and AI deployments to digital identity and smart cities, the region is scaling fast. By 2030, its digital economy could be worth over $1 trillion. But here’s the catch: we’re laying digital tracks with gaping holes in security.   Too often, cybersecurity is treated like a patch—not part of the blueprint.   If ASEAN doesn’t shift to a security-by-design model now, we’ll end up with infrastructure that’s modern on the surface but vulnerable at the core. Here’s what a more mature, integrated, and forward-looking stance looks like—and why it’s urgent. 1. Security That’s Built In—Not Slapped On Let’s start with the basics: if your app, platform, or government portal ships before it’s threat-modeled or pen-tested, you’re already behind.   Case in point: the SingHealth breach in Singapore. Attackers exfiltrated 1.5 million patient records—including those of the Prime Minister—by exploiting an unpatched endpoint and poor admin controls. Meanwhile, in Indonesia, hackers accessed eHAC and KPU voter databases, leaking data of millions.   This isn’t just sloppy—it’s systemic. We need security woven into the design, architecture, and procurement of digital systems. Think zero trust, secure SDLC, and routine threat modeling before code hits production.   Organizations in the US and Europe are already guided by frameworks like NIST 800-207 and ENISA’s Secure Software Development approach. ASEAN governments and vendors need to stop treating those as “optional reading.” 2. AI + CTI for Real-Time Defense Today’s attacks aren’t just faster—they’re smarter. You can’t rely on quarterly threat reports or passive monitoring anymore. In July 2022, Malaysia’s government networks were compromised by ransomware, remaining undetected for weeks. These kinds of breaches aren’t anomalies—they’re now the norm.   What we need:  AI-driven threat detection that adapts in real time  Shared cyber threat intelligence (CTI) networks across ASEAN borders  Automation that can isolate and respond to anomalies in seconds   The EU’s CTI Framework and the MITRE ATT&CK model are excellent references. ASEAN should be investing in regional CTI platforms with real-time data sharing agreements—especially for critical sectors like finance, telecom, and energy. 3. Laws and Takedowns That Cross Borders Cybercriminals don’t care where your firewall ends. But enforcement often stops at the border. When FTX collapsed, investors across ASEAN lost millions. But the legal patchwork across countries made asset recovery and regulatory response chaotic. That’s a red flag.   Here’s what needs to happen:  ASEAN must align with the Budapest Convention on Cybercrime  Establish a joint takedown task force for regional threat actors  Create a legal framework for real-time data and evidence sharing  Build a standing cyber law coordination body across ASEAN members   GDPR gave Europe teeth. We need something similar in Southeast Asia that covers data privacy, incident response, and enforcement across jurisdictions, without getting stuck in years of negotiation. 4. People Power Is the Core of Resilience No amount of AI or encryption will save a system if the humans running it aren’t trained. Right now, ASEAN is staring down a 2 million-person cybersecurity skills gap by 2026, according to (ISC)². That means huge attack surfaces—and not enough defenders.   We’ve seen the consequences. In 2020, the Philippine police leaked troves of sensitive data thanks to poor database hygiene and untrained personnel.   Fixing this means:  Building national cyber talent pipelines (like Singapore’s SG Cyber Talent)  Funding hands-on training and certifications for public sector teams  Embedding cybersecurity into school curricula and university programs  Creating incentive programs for SMEs to train staff—not just CISOs   Skills, not tools, are the real firewall. And right now, we need both scale and speed in growing ASEAN’s cybersecurity talent.   The Clock’s Ticking—And The Next Big Hit Could Be Worse   ASEAN is sprinting toward a high-tech future. But without strong, integrated cybersecurity strategies, we’re laying the groundwork for massive disruption.   Here’s what needs to happen now:  Bake in security from the first line of code  Let AI and threat intelligence lead, not lag  Tear down legal silos across borders  Build cyber literacy and skills as a national priority   Cybersecurity shouldn’t be a Band-Aid. It should be in the blueprint. The next billion users in ASEAN deserve systems that are secure by design, not protected by luck.   Let’s stop playing catch-up. Let’s start building smart—and secure. 

Australia’s national carrier, Qantas Airways Limited, has revealed a cybersecurity incident. The Qantas cyberattack was traced to unauthorized access through a third-party customer service platform used by one of the airline’s contact centers. While the airline assured the public that flight operations and safety were unaffected, it confirmed that personal information of potentially millions of customers had been compromised.  In a public statement, Qantas explained, “Qantas can confirm that a cyber incident has occurred in one of its contact centres, impacting customer data. The system is now contained.” The breach, described as criminal in nature, involved the targeting of a third-party system that stored service records for approximately six million customers.  Decoding the Qantas Cyberattack  According to the press release, Qantas experienced unusual activity on the third-party platform. The airline responded quickly by isolating the system to prevent further access. While the airline emphasized that its internal systems remain secure, the Qantas cyberattack did expose a wide range of customer details.  An initial internal review confirmed that names, email addresses, phone numbers, birth dates, and frequent flyer numbers were accessed. However, Qantas reassured customers that more sensitive information, such as credit card numbers, bank details, passwords, PINs, and passport information, was not stored on the compromised platform.  Qantas stated, “There is no impact to Qantas’ operations or the safety of the airline.” The airline has since ramped up security protocols, including additional restrictions on system access and heightened monitoring to detect and respond to any further threats.  A Qantas spokesperson provided further details about the incident in a statement to The Cyber Express, explaining, “The cybercriminal gained access to the system on Saturday following an interaction with a call centre operator. Our teams identified and contained the threat on Monday morning, and the system was subsequently secured. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed.”  Immediate Response and Ongoing Investigation  Following the Qantas cyberattack, the airline has taken several security measures. Notifications have been sent to affected customers, along with an apology and details of available support. Qantas also set up a dedicated helpline for identity protection assistance. Concerned customers can call 1800 971 541 or +61 2 8028 0534, where they’ll receive guidance from specialists.  The airline has formally notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. Qantas is also working closely with the Federal Government’s National Cyber Security Coordinator and independent cybersecurity experts to investigate the breach and prevent similar incidents in the future.  Vanessa Hudson, Qantas Group CEO, addressed the incident in a statement: “We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously.”  She added, “We are contacting our customers today and our focus is on providing them with the necessary support. We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”  Customer Guidance and Next Steps  While the investigation is ongoing, Qantas advises that customers with upcoming travel do not need to take any action. Flight details remain accessible through the Qantas website and mobile app. However, affected individuals are encouraged to stay vigilant, monitor for suspicious activity, and contact Qantas support if they have concerns.  Darren Argyle, former Group CISO at Qantas, addressed the recent Qantas cyberattack in a LinkedIn post, emphasizing the airline’s unwavering commitment to customer security. He acknowledged the intense pressure on Qantas’ security teams, noting, “I know how hard these teams work behind the scenes, often under immense pressure when incidents occur.”   Argyle also suggested the Qantas cyberattack might be linked to the notorious Scattered Spider group, known for targeting cloud-based services through social engineering attacks. He encouraged customers to stay informed through official channels and be cautious of any unexpected messages related to the incident.  This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We will update this story once we have more information on the Qantas cyberattack or any further details from the airline. 

Qilin was the top ransomware group by a wide margin in June, solidifying its position as the top ransomware group since RansomHub went offline at the end of March. It’s the second time in three months that Qilin led all ransomware groups in claimed victims, Cyble threat intelligence researchers reported in a blog post today. With 86 claimed victims for the month of June, Qilin was more than 50 claimed attacks ahead of rivals like Akira, SafePay, Play, and INC (image below). Cyble said the data is preliminary and could rise somewhat as all the data is finalized, but Qilin is essentially assured of finishing in the top spot. Qilin was the top ransomware group by a wide margin in June (Cyble) Can Qilin Remain the Top Ransomware Group? Qilin led all ransomware groups in April after RansomHub went offline (possibly in an act of sabotage by rival DragonForce). SafePay edged out Qilin in May before Qilin returned to the top spot in June. Part of Qilin’s success in recruiting Ransomware-as-a-Service (RaaS) affiliates in the wake of RansomHub’s decline lies in the services and support the Russia-linked group offers affiliates, including legal services too. Among the group’s victims in June were high-value telecom, blockchain, healthcare and transportation organizations, Cyble said. Sensitive data may have been accessed, some of the group’s attacks have had supply chain implications. Like other top ransomware groups, Qilin has overwhelmingly targeted the U.S., claiming 50 of the 213 total U.S. attacks in June. However, the group’s attacks have been more balanced across sectors, unlike other groups that have overwhelmingly targeted construction, professional services, healthcare and manufacturing. “It remains to be seen if Qilin has RansomHub-like staying power, but so far its desire to woo affiliates with sophisticated technology and services is paying off,” Cyble said. Other Ransomware Developments in June Overall, Cyble said ransomware groups had claimed 377 victims as of late June, within range of May’s final count of 401 victims, “and a sign of potential stabilization following a three-month decline from February’s record attacks.” Ransomware attacks by month 2021-2025 (Cyble) Other groups weren’t standing still, suggesting that Qilin will have to work to stay on top. The pro-Russian hacktivist group CyberVolk launched its own ransomware, the latest hacktivist group to move into ransomware. RALord rebranded as Nova and launched its own ransomware-as-a-service (RaaS) program, aggressively recruiting affiliates, and the Chaos group announced its own RaaS operation and aggressive recruitment efforts. A new ransomware group known as Kawa4096 also emerged, claiming five victims, with similarities to the Akira ransomware group. And the Scattered Spider group expanded from retail attacks to the insurance and airline sectors. As Cyble concluded, “The enduring resourcefulness of ransomware groups and their affiliates serves as a reminder that security teams can’t rest, either.”  

One bright spot in Sophos’ annual State of Ransomware report released this week is that organizations have gotten better at stopping ransomware attacks before attackers are able to encrypt data. But otherwise the report shows that defensive and preventive preparation continues to lag, if not backslide in some cases. Ransomware Response Improves as Backup Lags The report, based on a survey of 3,400 IT and cybersecurity leaders in 17 countries whose organizations were hit by ransomware attacks in the last year, found that 44% of organizations were able to stop the attack before data was encrypted. That’s the highest rate in the survey’s six-year-history (image below). Ransomware encryption rates decline (Sophos) Data was encrypted in half the cases, the lowest rate in the survey’s history, while in 6% of cases organizations faced extortion demands even when data wasn’t encrypted. The report also noted that: 28% of organizations that had data encrypted also experienced data exfiltration. 97% that had data encrypted were able to recover it. The use of backups to restore encrypted data is at the lowest rate in six years, used in just 54% of incidents. 49% of victims paid the ransom to get their data back, the second highest ransom payment rate in six years. Looking at recovery from backups vs. the percentage of ransom payments, the trend begins to appear worrisome, as successful backup recovery has declined significantly, from 73% in 2022 to 54% this year, while the percentage of ransom payments has generally been trending higher throughout the report’s history (chart below). Recovery from backups is declining as ransom payment frequency is increasing (Sophos) The average ransom payment fell from $2 million in 2024 to $1 million in 2025, largely because of a sizeable drop in ransom payments of $5 million or more. On average, ransom payments were 85% of the amount demanded; 29% said their payment matched the demand, 53% paid less and 18% paid more. Excluding ransoms, the average cost to recover from a ransomware attack dropped from $2.73 million in 2024 to $1.53 million. More than half of organizations – 53% – fully recovered in a week, up from 35% in 2024. Also read: SafePay, DevMan Emerge as Major Ransomware Threats The Root Causes of Ransomware Attacks For the third straight year, ransomware victims said vulnerabilities were the most common technical root cause of an attack, exploited by attackers in 32% of incidents. Compromised credentials were the second most common attack vector even as those attacks fell from 29% in 2024 to 23% in 2025. 19% of victims reporting malicious email as the root cause and 18% citing phishing. A lack of expertise was a factor in 40.2% of attacks, followed by unknown security gaps at 40.1%. Lack of people and capacity was cited in 39.4% of attacks. Overall, the report suggests that organizations still have much progress to make on essential ransomware protections such as vulnerability management, segmentation and zero trust, ransomware-resistant backups, and infrastructure and endpoint hardening and monitoring.