Adam Myers

Hello and welcome to our podcast Tales from the Cyber Lab. My name’s Adam Myers. I’m the Sales Director here at CyberLab and I’ll be your host for today. I’m joined by Jon Hope from Sophos. Welcome, John.

Jon Hope

Thank you very much. Thank you for having me back, in fact.

Adam Myers

Yes, this is your second innings here, so good to have you – can you just tell us a little bit about your role at Sophos and what you do, John?

Jon Hope

Okay, so I have two roles, but I’m here today in the capacity of Senior Technology Evangelist and that as grandiose title, but effectively what I do spend a lot of time doing public speaking, I’m talking about the threat landscape, which is obviously very relevant for today’s session. And also looking through some of the research that we conduct and presenting that in an accessible format to help people understand the challenges that organisations of all sizes face.

Adam Myers

Nice. So you joined us in 2024, which was, I wasn’t a host back then, but you discussed the State of Ransomware Report for 2024. So we’re going to get a second go at that with 2025 and talk you through what you are seeing and what our users and people need to look out for. So straight into it: so I guess first question and the topic again around the threat landscape in 2025, why are UK organisations still falling victim to ransomware in 2025 from your perspective?

Jon Hope

Okay, well the simple answer straight away is really that we face a highly organised opponent, very, very organised criminal gangs that launch ransomware. Obviously, ransomware has been around for a long time, so they’re continuously honing their tactics and capabilities. So that’s the primary reason is because of a determined adversary. But when it comes down to the actual technical reasons for it that you can really divide those things into two camps.

The first one is exploited vulnerabilities. And what I mean by that is typically weaknesses within software where organisations maybe haven’t patched successfully or the cyber criminals have found some kind of loophole in software that has never been seen before. And consequently, there’s no protection against those particular loopholes, which on the face of it you could say is probably a technology challenge. And it is to an extent. But as you rightly point out, it is 2025 and organisations of all sizes know that patching is important.

So whilst it’s frustrating when your computer boots up and it wants to pull down a load of updates and it might stop you from working, people know that that’s an important process. But still organisations fail to patch effectively for a number of reasons, really primarily because they just don’t simply have enough time. In most cases, organisations know they should be doing it, but they don’t really have the time to be able to run all their cyber security and all their other IT functions and worry about patching as well.

 So it’s not really a lack of willingness to patch or a lack of awareness as to why they should be patching, but it’s just not really having enough time, which is partially a people problem.

Adam Myers

Patching has always been seen as something that is quite difficult I think to the time when you do it, was it Patch Tuesday, whatever it’s called, it is maybe evolving now. You have automated patch management solutions and things like patch lift, protect, where it can legacy systems again that sometimes can’t be patched. I guess there’s a lot of tools now available in the market which are helping with that, I think.

Jon Hope

There’s lots of tools available, but the problem is the scale of the problem itself that if you think about the number of bits of software you’ve touched already during the course of today, it’s a lot. So there’s a lot of things to keep on top of. And I would say the people problem really is really just a lack of time. And this is where we start looking at things like tool sprawl.

And it’s interesting you mentioned there are tools out there to help you, but obviously a lot of IT administrators have no end of other tools to worry about. So sometimes we talk about consolidating cyber security solutions down to try and give organisations a bit of time back to go and do other things.

Adam Myers

You can do that, can’t you? You can just spend wildly sums of money on new tools and protection. And often we do like the posture assessment and we see that people have kind of overloaded tools and maybe that’s a historic thing.

And I think what Sophos is doing really well is that collaboration piece, where you can work with other sort of vendors where you’ve maybe put your investment into that using MDR and the integration packs. I think that’s brilliant about what you guys are doing and you’re obviously market leading for that reason. But I think consolidating tools sometimes is a better mechanism for defence in a way, isn’t it? Because you’re not sort of overloaded with too many tools in a way.

Jon Hope

Exactly. That the idea is it gives you some time back. So if we move down from the most common attack vector of being exploited vulnerabilities, the rest are very much people problems. So as generally speaking, cyber security technologies have got better at protecting against threats. The cyber criminals are increasingly targeting humans. So what we see broadly speaking as the next most common attack vector is targeting the humans through things like phishing or things like compromised credentials.

And those are very difficult attacks to thought because ultimately a human has carried out in action, or their identity has been sold, and then the cyber criminals are then effectively masquerading pretending to be that human. And from a systems perspective, they’re going to get all the access that that person has got because it’s very difficult to distinguish a difference between a legitimate login versus that identity being stolen. And this is why we talk. We don’t so much talk about strong passwords these days. I suppose we’re talking more about multifactor authentication and securing systems in other ways, making sure that systems are not being made accessible to people that don’t necessarily need to have that level of access.

But these are all human problems. And that challenge is also compounded a little bit by AI, and I’m thrilled that we’ve made a couple of minutes in before I mentioned AI, but it kind of mandatory to mention it in some way. But it’s really interesting to see the way the cyber criminals are using AI because it’s not probably the way that most people would think. They’re not really using it to write exploits or attacks or anything like that. But what they are doing is using AI to very effectively replicate major brands when it comes to phishing attacks. And it used to be the case that we would train our users, and you should definitely train your users to recognise phishing

We used to tell them that if you saw messages that were badly formatted, spelling mistakes, punctuation errors, that was probably the indication that that was fraudulent in nature because let’s face it, the first language of most of the protagonists involved in these kind of attacks, it’s not English, but AI solves that problem straight away because obviously it will write you perfectly formed English, which is very difficult to distinguish from human written English.

But then it goes beyond there. It goes to looking at major brands, looking at their imagery, looking at their brand tone of voice to a point where it is really difficult to really distinguish difference between an attack or something which is actually legitimate.

Adam Myers

You showed us that as Secure Tour, didn’t you? I think one of your slides was pretty fascinating around the colours and the brand, like you said, and maybe looking through of how realistic it looks now, there’s not the errors to spot quite as easy anymore. Like you said, the language is quite sophisticated. So again, that’s how AI has adapted that sort of phishing threat, isn’t it?

Jon Hope

Absolutely. That’s the name of the game is to make it look authentic.

So we shouldn’t be thinking of users who fall for and in as being ‘idiots’ because the reality is that anybody in the right set of circumstances would potentially fall for something like this because it looks accurate. And again, beyond just simply looking accurate, cyber criminals will do research.

They’ll look to see maybe who your suppliers are or maybe your social media and find out some of the things that you’re interested in so that when that campaign arrives, it is not just a generic broad brush attack, it is very much focused on you and your reality so that you are probably going to click on it.

Adam Myers

I think our CyberLab Control platform as well for the users listening is really good for that. So we can bespoke campaigns for you, so you might use bespoke systems, we can maybe get the logos, we can put that in so we can create that phishing assimilation attack, which is exactly what you’re saying.

 So you can kind of train people to spot those logos that maybe look a bit different. It might be a bespoke CRM for example, and we can maybe train that out as part of that phishing simulation training. So something just to look at with our CyberLab Control training platform.

Jon Hope

Yeah, it’s so important to train users and bang for buck. It’s probably the best investment you’ll ever make.

Adam Myers

Amazing. So onto the next topic: what happens if the data once ransomware hits?

Jon Hope

Okay, so that’s an interesting question in itself because in most cases, as part of a ransomware attack, I mean not exclusively, but in most cases the cyber criminals will encrypt your data. They’ll jumble it all up such that they are the only people who can then put it back together again and you are typically faced with this challenge of do I pay the cyber criminals or do I accept the data’s lost? Because those are typically the only two choices, particularly if you don’t have a good backup. But that’s a whole other story in itself. And if we get to a point where data’s been successfully encrypted by the bad guys, a lot of things have gone wrong to get to that point.

So we would ideally like to see rates of encryption being really low, but again, in 2025, we still see, depending on which stat you want to look at globally, we see 50% of ransomware attacks involving successful encryption of data. In the UK, it’s still 70%.

And that means that in 70% of cases, the technology measures you’ve put in place to protect your organisation are just not really cutting it. And that’s really because of an adaptation of the way the cyber criminals launch their attacks. So they’re always, it’s a game of cat and mouse. They’re always changing the way they launch attacks. And what we’re seeing a lot of now is what’s called remote ransomware. So try and make that as simple concept as I can.

Basically the cyber criminals will look for a device somewhere in the estate that is unprotected, is unmanaged, no matter how big or small the organisation is, somewhere there’ll be a device that you just forgot to instal protection on or the process has stopped, or a bunch of reasons that going behind it, the cyber criminals will get hold of that. But what they will do is instead of trying to encrypt the data that’s actually on that device, they will use it as a bridgehead to then launch encryption attacks at other devices that actually might have protection installed on them.

Most cyber security vendors that offer endpoint protection, server protection, they don’t actually cover that attack vector because the bad code is happening on this unmanaged device that no one’s got control over. And that’s really what they’re looking for is execution of malicious code. The way that Sophos works is slightly different. So we have a lovely feature called crypto guard, which is actually looking for encryption events happening no matter where the actual demands for encryption came from.

 So we still cover against remote ransomware, and we’re the only top right hand corner Magic Quadrant vendor that actually has that good coverage. And that’s one of the reasons why we see so many successful encryption attacks is because most cyber security ventures don’t cover that attack vector. And it’s a really, really common way for the cyber criminals to encrypt data.

Adam Myers

So you’re doing something quite unique though, because that is quite common, isn’t it? You’ll probably have a number of devices that aren’t protecting that then puts the business at risk, doesn’t it? So is there any way you can, is it more of a process thing to make sure that you keep on top with your licences for the number of users or devices? Is there some sort of process we should be introducing there as part of the business maybe?

Jon Hope

There’s definitely an element of that as much as you possibly can. When you provision a device, you roll out protection for it, but it’s very difficult, particularly in bigger organisations to keep an eye on everything. And there will always be cases of devices that simply can’t have protection installed. So we’ve seen internet of things devices like printers or CCTV cameras be used as an attack vector and you can’t instal protection on those things.

So this is where we talk a bit about NDR on, so another acronym for the industry: Network Detection Response. So that’s looking at the traffic that’s flowing across your estate. So even if you can’t manage the endpoint itself, you can still at least see what’s going on around the estate and that’s a good way to keep on top of that.

Adam Myers

And is that a sensor that kind sits on the network, isn’t it? It is great. I think we see it in the NHS is quite a prevalent thing. It’s really popular for those devices that we can’t get endpoint protection. So protection, it’s that network layer, isn’t it, which does try and give you a lot of protection there, which is great to see.

 And we’re seeing a big uptake of customers onboarding with one solution and it seems like it’s only getting bigger and better on what we can see.

Jon Hope

Absolutely, yeah. So it essentially sits on next to your switches. So is a virtual machine sits next to your switches, gets a copy of all the data that’s going through your switches so that they can have that visibility into your network traffic. And then NHS is a really interesting example because many medical diagnosis machines, they come out the box and the manufacturers specified that that’s how they work and you can’t just randomly instal other bits of software on them. So it does potentially leave you in that weak spot of not being able to protect. So having NDR as visibility is good.

And Sophos Central also keeps on top of this. If you do happen to be a Sophos customer and we see an encryption attack happening, then you will very clearly see in the console which device has launched the attack. Even though it might not be managed, we’ll still get an IP address and you can start the process of then trying to find where that is.

Adam Myers

Amazing. Alright, so I think moving into our third topic, so our ransom demands and payments increasing or decreasing from what we can see in the report?

Jon Hope

I just want to answer a question that you didn’t ask beforehand and just talk a little bit about extortion. So we focus a lot on encryption, but one of the things that we have observed between last year and today is an increase, albeit a small one from 3 to 6% of ransomware attacks, actually not involving any kind of encryption. So the cyber criminals are also getting pretty good at stealing data as well. And that’s much more difficult to protect even with a backup.

And the process of extortion then is that you published data externally and the organisation just gets their reputation damaged that way, or the data itself obviously has intrinsic value that can be sold. So that’s just a trend to watch on that front.

Adam Myers

I was at Dish and there was actually a really good seminar that I was watching there is around hacktivism and we all often think that it’s not always about trying to gain money. There’s a lot of other areas that we maybe don’t talk about as much, but hacktivism or sharing that data and just publishing it on the dark web, there’s a lot that happens in there. It’s not just always for say, damaged reputation and whatnot. So yeah, we see a lot of that as well.

Jon Hope

Or just simple disruption. Disruption is destroying data with no intent to ever give it back at all and not even ask for money fortuitously, it’s quite small as a percentage, but it is definitely a factor that we need to look at as well as.

Adam Myers

So I think just back to that question, are payment demands increasing or decreasing do you think?

Jon Hope

We’ve actually seen a reduction in ransomware demands, but we’ve also seen an increase in the quantity, if that makes sense. So the cyber criminals are making more money out of more small demands. We’ve seen a dramatic reduction in the ransomware demands of $5 million and less, but it’s still a high percentage that include demands of over a million.

And the cyber criminals are very, very good at targeting their demands appropriately. In other words, what they do is they look at their victim organisations and they work out what the ability to pay actually looks like. So they’re getting better at honing it down to an organization’s pocket depth so that they don’t place a ransom demand in front of an organisation, which is just unrealistic because they obviously won’t pay in those circumstances.

 So we have actually seen a reduction in runs and demands. It’s also interesting to look for the first time this year we’ve actually looked at how organisations fare when they negotiate with the cyber criminals. Sometimes you’ll actually get a reduction, so a bit like a parking fine, if you pay early, then you might get a discount.

And sometimes we’ve actually observed situations where victims have negotiated with the cyber criminals and upset them and ended up having to pay more or the cyber criminals kind of decide that the victim organisation maybe can afford to pay more. So it is a bit of a double-edged sword negotiation.

Adam Myers

They’re becoming more efficient is kind of what you’re saying, the sense of less volume but higher demand. So they’re focusing on a sweet spot and these organisations are run businesses, they, we talk about that they almost have a rating on the dark web in terms of paying out and giving back the data. There’s a lot that we don’t see there that run very sophisticated business.

Jon Hope

Oh, it’s incredibly sophisticated. Yeah, absolutely. So what we’ve seen because of this economist of scale is that the ROI calculations associated with launching an attack have changed and organisations that traditionally would probably have been too small to be a victim. Now that doesn’t apply anymore.

Cyber crimes will launch attacks based on how much they think they’re going to get out, but obviously also how much it costs in the same way that legitimate businesses make RRI decisions. So we see that we see organisations becoming victims because it’s now more cost effective because cyber crimes launch attack, the cyber crimes typically have a franchise model as well.

So you can buy in as an affiliate and if you want to understand the sophistication, then many ransomware gangs, they almost compete with each other for the best terms and conditions for their affiliates.

Adam Myers

A bit like Ransomware as a Service, isn’t it? We’ve seen that with some of the latest stuff in retail. That model is kind of taking off now in terms of how they’ve building out that business.

Jon Hope

Absolutely. You don’t necessarily even have to be that technically minded. It is almost ransomware by numbers now you can follow guides and many ransomware gangs have support networks and forums or phone numbers that you can call to work through. So yeah, it’s an amazingly sophisticated ecosystem that goes behind this, which is why the problem is as big as it is.

Adam Myers

So I think for our users it’s definitely read that report. You gain a lot. It’s quite good for vertical specifics as well, isn’t it? So you get to see your area, you can see what sort of the threats have been. Certain sectors get hit a little bit harder at certain times and whatnot.

Jon Hope

Absolutely. Yeah. So we split it out by geographies, so all different territories. So as I mentioned, sometimes we see some quite big changes, so UK having 70% of successful encryption taxes is quite different to the rest of the world.

 So it’s good to look at that. But it is interesting to look at different verticals as well because different sectors have different challenges, different experiences of attacks. So yeah, it is good to be able to break those statistics down and look in more detail at your own personal sector.

Adam Myers

Question number four. So what is the real business impact of a ransomware attack? What impact does do you see and what does it have in the business?

Jon Hope

The most extreme example is that it will put organisations out of business. So the headlines are full of organisations that have actually been put out of business as a result, and it’s really important to have a recovery plan to not be the next headline. Typically, organisations that experienced the worst impact are ones that don’t invest in backups.

Backups is such an important part of a defence strategy, but also knowing what to do if you have an incident. So we offer advisory services to help organisations build a plan as to what would happen if an event was real and to help them understand what the impact could be because it can be much more devastating than you think. Organisations sometimes we’ve seen incidents where they’ve written an incident response plan and stored it on a server, and of course as soon as they go to go and fetch that, they realise the data’s been encrypted.

So they’re immediately unsure of what to do next. Simple things like who would you call if your contacts list is on your computer, then that could be encrypted. You certainly can’t email people because that’s probably going to be offline. So all of those things are really important to exit an incident in the best possible state is to have a really good plan as a basis.

Adam Myers

We see a lot of people don’t test that plan though, don’t they? Which is quite a basic thing to do is just maybe even once a year, build that in as part of your processes to just test the plan and do those incidents and see what that looks like. And there is various things that we can now offer to tabletop exercises to push that and see how you would react, which I think is whether maybe the industry is moving with our penetration testing team, there’s things that we can maybe do to help with that, but that’s really where you find the weaknesses within a businesses is how you respond.

Jon Hope

Absolutely. Yeah. So things to bear in mind is testing, particularly in bigger organisations, you might be working in cross discipline teams with people that you’ve never really met before. So if you’ve gone through an exercise with ’em, at least you have a bit more familiarity. That’s a good starting point and updating the plans as well.

So obviously IT is dynamic and you start bringing new servers online, you change providers, you move systems around. It’s no good having a plan that’s out of date. So that’s a really important thing as well. And then the other key learning that we’ve had from real incident response calls is have the plan, print it and make sure it goes home with key personnel because you’ve got to be somewhere accessible and storing it digitally is not safe option.

Adam Myers

Yeah, brilliant. Good takeaway there. So yeah, good to see – how are ransomware attacks affecting the people behind the screens?

Jon Hope

It can be really devastating at a personal level as well. In the State of Ransomware Report for 2025, we actually started to look into the human impact because we talk about the financial impact and regulatory impacts, but we don’t really talk about the people. And there’s some interesting information that we can get from looking at that State of Ransomware Report. The first one being really that as you probably would expect, sensations of things like guilt and remorse. Most of us are proud of our jobs and we want to do a good job. And there’s always this sort of stigma that if you got hit by ransomware that maybe you let the organisation down in some way.

Probably not true – but people feel personally responsible and that can escalate through to feelings that they maybe don’t want to get back to work for a little while or take time off. And we do actually see leadership being changed as well. So we do sometimes see fallout from, in fact, as many 25% of cases where ransomware has then led to organisational managerial changes off the back of it.

So it can be devastating from a whole different range of aspects, but the typical things that we’re seeing are experiences of feelings of guilt really, which is a real shame and that pressure of trying to get things back and running as quickly as possible because most, again, most of us are proud of the company we work for. We want to help as much as we can. And so those things can be really quite traumatic.

Adam Myers

I think Stuart touched upon this in one of our previous podcasts if you want to listen to on that. I think it’s changing the culture within a business to some extent, that if something does go wrong or something fails, I think it’s sharing, making sure that they feel comfortable how to process that and share that.

So it’s not a sort of blame culture, it’s more of as a business, we need to reflect on this and how do we improve this process the next time and learn from other industries that maybe go through that analysis in more of a fail and learn and go from there as opposed to blame culture, which I think we’ve got to avoid in cyber security.

Jon Hope

Culture is so important. And I talk about that a lot and it transcends all different aspects of the business. One is making sure that it’s not just an IT problem, it’s absolutely board level decision and through to individual users. And like I said, not looking at them as idiots if they click on phishing links, giving them instead, rather than fear of contacting IT or IT security to say, I’ve made a mistake actually proactively saying I had an email and it came in, I fell for it, I clicked, we need to do something about this.

Because there’s nothing worse than burying that information because then it’s much more difficult to try and piece together the attack if you don’t understand what the root causes were. So having that culture of openness is super important and the culture to challenge things as well because we do see attacks that are just, they’re not really in the digital realm at all. We’ve all heard of stories where somebody’s had an email come in and they’ve been asked to transfer money to this bank account and that sort of thing. And sometimes people are a bit frightened of verifying it or saying no to this supposed CFO that’s probably being impersonated.

So you really want to have that culture where if somebody asks you to do something that’s out of character, you ought to be comfortable in picking up the phone or verifying it through some mechanism that as is actually a legitimate request. And nobody should be chastised for asking – much better to ask and get it right than make a mistake, really.

Adam Myers

I think that’s a really good point. Yeah, just like those processes that you might be able to put in place, just double check if somebody is asking for a large payment, even maybe teams and check it’s them. But just I think going back to that culture element, it’s just putting those little processes in place which might stop it at the source.

And if something that does happen that we talk openly and we review it, but it’s a way of learning, I think. Yeah. Great. So just some final thoughts. If we had to say one thing, one takeaway from this podcast episode, what would it be and what would you like our listeners to take away from this 20, 30 minutes?

Jon Hope

One thing. Okay. Work on the assumption that you probably will be here at some point is probably the one thing, and start from that position. Train your users, but don’t assume that you’re going to get it right a hundred percent of the time because humans are all fallible.

We’ll make a mistake at some point. So start with user training and then build in mechanisms if something does go wrong. And that’s a combination of technology and then the processes that we’ve just talked about. And just don’t ignore the problem. It’s very real. Don’t assume you’re too small. It’s definitely a challenge that faces organisations of all different sizes.

Adam Myers

Brilliant. What a conclusion. So that concludes this episode of Tales From The CyberLab. Join us next time for our new episode. Until then, Stay Secure.