Zero-Day Newsletter: Cybersecurity reports, news, and insights for IT professionals
The cheekiest cybersecurity newsletter on the planet.
Cybersecurity news doesn't have to be boring. Comparitech's Zero-Day Newsletter is focused on giving IT professionals weekly updates on cybersecurity alerts, ransomware news, industry insights, and IT product recommendations.
As our ransomware roundup–published today–has found, April 2025 was the quietest month for ransomware attacks this year so far. We noted 479 attacks in total, 39 of which were confirmed by the targeted entity. In March, we noted 713 (69 confirmed).
It’s too soon to pop the cork on the champagne, however.
As we know all too well, ransomware gangs are constantly evolving and regrouping. And that’s something we noted in April, too. After being hailed as the most prolific ransomware gang in recent months, RansomHub went completely dark in April. But surging forward with its claims was Qilin (a gang which, if rumors are correct, many of RansomHub’s affiliates are migrating to).
Here to learn about paying (or not paying) ransomware ransoms? Scroll to the bottom!
British retailer M&S loses its spark…
Since last week, one of the UK’s biggest retailers (Marks & Spencer AKA Marks & Sparks) has been grappling with an attack which has been attributed to Scattered Spider (the same gang that targeted MGM Resorts and Caesars Entertainment in 2023).
While M&S was quick to confirm a cyber attack, it’s been less forthcoming with details on the nature of the attack and any potential breach of data. And with around 30 million customers choosing M&S each year, the consequences of a data breach could be catastrophic.
With that in mind, what is the sell-by date of a ransomware attack? And just how long is too long to report a breach following an attack?
…is Complete Payroll Solutions in the US. This week, it started issuing supplementary data breach notifications following an attack in March 2024. Initially, it had issued data breach notifications to a total of 320 people in October 2024, but now this figure has ballooned to over 24,000--and counting.
As it stands, an additional 21,963 people in New Hampshire, 1,961 in Texas, and 40 in Montana are being notified of the breach. As more notifications are issued in other states (including the state in which it's based–Massachusetts), it’s likely this figure will rise even further.
Denying a data breach before dealing with it later…
...is Charleston County School District. In July 2024, it was hit by RansomHub. After Comparitech contacted it when RansomHub posted CCSD to its data leak site in August 2024, CCSD said: “We are not aware of any malicious misuse of school data.”
Now, it’s notifying 20,653 people about the breach.
While we’re all for the glass-half-full approach, being a little bit pessimistic and assuming the worst is often a better course of action when it comes to ransomware attacks. That way, anyone whose data may be impacted is on alert from the outset. And the company involved doesn’t have the unpleasant job of wiping extremely rotten egg off their face months later.
…is the aforementioned Qilin after it came forward to claim one of the biggest attacks this year so far–the March 2025 attack on Malaysia Airports Holdings Bhd.
Not only did the attack lead to disrupted flight information displays, check-in counters, and baggage handling, but it now appears that the subsequent data breach could be significant. In its post, Qilin claims its upcoming data leak is a “looming catastrophe” for the airport company after officials rejected its $10 million ransom demand.
Picture this: You wake up bright and early, complete your grueling 30 minutes of exercise, shower, make coffee, and at long last, open your work computer. Your inbox is packed, as it always is.
Meeting request.
Leave request.
Sales spam.
Weekly newsletter. Ransomware demand. "Wait...what?" You break out into a cold sweat, and then, over the next 24 hours, all hell breaks loose across your organization as your network shuts down.
That's a scenario that thousands of business leaders are facing every year as ransomware continues to plague companies worldwide. But this comes with the ultimate question that many leaders never want to have to answer: Do we pay the ransom?
As of 2023, the majority of businesses say no. Only around 20% of companies now choose to pay ransoms. That speaks, in no small part, to the increasing awareness and stronger security and disaster recovery posture that businesses now have.
But there's also a risk to saying no if your disaster recovery plan is poorly conceived or non-existent.
Case Study: MGM Resorts
In September 2023, MGM Resorts fell victim to a ransomware attack orchestrated by a group known as "Scattered Spider." The hackers infiltrated MGM's systems through social engineering tactics, leading to widespread disruptions: slot machines ceased functioning, digital room keys were disabled, and reservation systems went offline. MGM chose not to pay the ransom and instead undertook a complete system rebuild. This decision resulted in over $100 million in losses due to operational downtime and recovery efforts.
Scattered Spider's ransomware demand on MGM was $30 million. All told, MGM's refusal to pay resulted in a loss over 2x what it may have seen had it shelled out the cash.
That's a tough business decision.
On the one hand, the less often companies pay ransomware demands, the less likely ransomware gangs are to continue thriving using that tactic. On the other hand, the cost of not paying can be high. A company like MGM can eat the added $70 million cost. It hurts, but MGM Resorts had a net profit of $1.3 billion USD that year. They weren't hurting. But for a small company with tighter profit margins, the cost of downtime could be enough to destroy the business. It's hard to stand on a moral high ground when your business could fold and you and your employees lare eft jobless.
What's the right move when it comes to paying ransoms?
MGM's example highlights a few needs:
Enhanced network security reduces the risk of becoming a victim at all: Regular security audits, employee training, and updated defense mechanisms are essential to prevent breaches.
Cybercrime insurance will support with recovery costs and potentially even ransomware payments, reducing direct financial impact: Having comprehensive cyber insurance can provide vital support during recovery, covering costs associated with system restoration, legal fees, and more. Insurers may also help you negotiate with ransomware gangs to lower the demand.
Effective incident response planning can make saying "no" much easier and more cost-effective. Developing and regularly updating a response plan ensures swift action during a cyber crisis, minimizing damage and downtime.
Refusing to pay a ransom can make you feel powerful in the moment. Ransomware gangs thrive on fear, and telling them no sends a pretty powerful message that you aren't scared and won't tolerate their shenanigans. It can also deter ransomware gangs in the long term. In the short term, though, you may want to prepare for the consequences. That includes a potentially higher cost to recover from a breach and reputation impacts due to extended downtimes and stolen data. Investing in robust cybersecurity measures and having a solid recovery plan are not just best practices—they're essential strategies for resilience in today's digital landscape. Nobody likes bowing to a bully, and that's exactly what these criminals are. By standing up, you increase your risk of further financial damage. For some companies, that's a risk worth taking. But don't feel bad if it's one you can't personally take yourself.
Until next week. Let’s keep that zero-day count hardened at zero!
Suite 3 Falcon Court Business Centre, College Road, Maidstone, Kent ME15 6TF Unsubscribe · Preferences
The cheekiest cybersecurity newsletter on the planet.
Cybersecurity news doesn't have to be boring. Comparitech's Zero-Day Newsletter is focused on giving IT professionals weekly updates on cybersecurity alerts, ransomware news, industry insights, and IT product recommendations.