Barracuda research shows that nine out of ten ransomware incidents in 2025 exploited firewalls. In the fastest case, there were three hours between the intrusion and the deployment of ransomware. Vulnerabilities that are more than ten years old are also still being actively exploited.
The findings of the Barracuda Managed XDR Global Threat Report are based on more than two trillion IT events collected in 2025, including nearly 600,000 security alerts and data from more than 300,000 secured endpoints. Or, as Barracuda Networks itself puts it: the company alerts a customer within 15 minutes, while automatically blocking a cyber threat every hour.
The report shows that in 90 percent of the ransomware incidents investigated, attackers gained access through firewalls. This was done by exploiting unpatched software or vulnerable accounts. The most frequently detected vulnerability (CVE-2013-2566) is thirteen years old. It is a bug in the RC4 algorithm used by the TLS and SSL protocols. Anyone who wants to be protected from this danger should use TLS 1.3. In general, no one should trust the RC4 algorithm used by SSL 3.0, the most recent version before it was replaced by TLS. Old servers or embedded devices may still contain this old vulnerability and should therefore be protected and patched where possible.
In the fastest ransomware attack observed by Barracuda, encryption took place three hours after the initial intrusion. The attack involved the Akira ransomware. Such a short time span gives defenders little time to detect and respond to the attack. This is because attackers actively use legitimate IT tools such as remote access software and target unsecured equipment. The cunning thing is that attackers use LOTL (Living Off The Land) techniques, whereby legitimate applications are used for malicious purposes.
In 96 percent of incidents involving lateral movement, a ransomware attack followed. In other words, if an attack extends beyond an endpoint, it is almost certain that the malicious actor will encrypt and possibly steal data. This movement also appears to be the most important indicator of an impending attack.
We also know that such lateral movements vary and change. Consider the fact that hypervisors have become a more frequent target because they affect multiple systems at the same time.
In addition, 66 percent of incidents involved the supply chain or a third party. That is an increase from 45 percent in 2024. Attackers exploit vulnerabilities in third-party software to bypass defense mechanisms. Recent research has shown that Cisco firewalls have been under attack by advanced threat groups for six months.
“Organizations and their security teams—especially if that ‘team’ consists of a single IT professional—face a huge challenge,” said Merium Khalid, Director of SOC Offensive Security at Barracuda. “What makes targets vulnerable is often easy to overlook: a single vulnerable device, an account that wasn’t disabled when someone left the organization, an inactive application that hasn’t been updated, or a misconfigured security feature. Attackers only need to find one to be successful.”
