Cyber Threat Index 2025: Deciphering the Ransomware Playbook
Cybersecurity threats evolve quickly, and many businesses struggle to separate real risks from the noise. The constant barrage of attack types, software vulnerabilities, exposures, and misconfigurations makes it difficult to know where to focus security efforts.
Prioritization is even more challenging for under-resourced small and midsize businesses (SMBs) that can only afford to make a handful of strategic security investments.
At Coalition, our mission is to protect the unprotected. The Cyber Threat Index 2025 offers data-driven insights into the latest cyber threats, combining intelligence from our insurance claims data, global honeypot network, and advanced vulnerability analysis.
Our latest report focuses on the ransomware threat landscape and provides practical guidance to help organizations of all sizes and industries build resilience against a threat that has become a national security problem.
The ransomware playbook
Ransomware attackers rarely introduce new tactics. Instead, they rely on tried-and-true methods that exploit common vulnerabilities and security misconfigurations.
Our research found that most ransomware incidents start when attackers exploit virtual private networks (VPNs), remote desktop tools, and firewalls — the most commonly compromised technologies used to gain initial access.
Technology vendors such as Fortinet, Cisco, SonicWall, and Palo Alto Networks build the most frequently compromised products. These products, which typically offer VPN and firewall functionality, fall under the broader category of perimeter security appliances that organizations integrate into their physical networking infrastructure.
Leading attack vectors
Compromised credentials remain the top initial attack vector (IAV), contributing to nearly half (47%) of the ransomware incidents analyzed in our report. Attackers often obtain credentials through phishing, brute-force attacks, or infostealers. They use these stolen credentials to target Remote Desktop Protocol (RDP) and VPNs, gaining privileged access to internal systems and networks.
Software exploits are the second-most common attack method, highlighting the critical need for businesses to prioritize patching the riskiest vulnerabilities. Ransomware attackers frequently targeted weaknesses in multi-purpose networking devices from Ivanti, Fortinet, and Cisco, as well as Microsoft Exchange Email Server and open-source Linux web servers.
Compromised credentials contributed to 47% of the ransomware incidents analyzed in the Cyber Threat Index 2025.
Social engineering was the third-most common IAV, typically involving email-based deception. Attackers used tactics that prey on human fallibility, like tricking victims into clicking malicious links, phishing for credentials, or convincing employees to install malware disguised as legitimate software.
Setting priorities in a complex threat landscape
More than 40,000 software vulnerabilities emerged in 2024 — a 38% year-over-year increase. Coalition predicts this trend will continue, with over 45,000 vulnerabilities expected in 2025. While not every vulnerability poses a significant risk, attackers only need one unpatched system to cause widespread damage.
This is where AI-driven risk prioritization makes a difference. Coalition’s Zero-Day Alerts (ZDAs) focus exclusively on the highest-risk vulnerabilities, helping businesses avoid notification fatigue while ensuring critical issues receive prompt attention. In 2024, Coalition sent ZDAs for just 0.15% of all vulnerabilities, demonstrating our commitment to helping policyholders focus on what matters most.
Coalition predicts that more than 45,000 vulnerabilities will be published in 2025.
The Cyber Threat Index 2025 spotlights the most dangerous software vulnerabilities that threat actors exploited in recent ransomware attacks, outlining three critical characteristics of high-risk vulnerabilities and provides real-world examples of how attackers targeted products from Ivanti, Palo Alto Networks, Fortinet, and Citrix.
Knowing which vulnerabilities pose the greatest risks is crucial for staying ahead of evolving threats.
Practical steps to defend against ransomware
It’s understandable if business leaders feel overwhelmed by the complexity of cybersecurity. That’s why the Cyber Threat Index 2025 provides recommendations for the steps that any organization, particularly SMBs with constrained budgets and resources, can take to strengthen their security postures, including:
Monitor attack surfaces: Regularly scan for exposed login panels, insecure services, and risky internet-facing devices.
Prioritize patching: Focus on the most critical vulnerabilities, especially those that threat actors actively exploit.
Enhance employee training: Improve security awareness to reduce the risk of social engineering attacks.
Implement 24/7 monitoring: Proactively monitor and respond rapidly to potential breaches.
Coalition offers a full suite of security solutions designed to support SMBs. From Coalition Control®, our unified cyber risk management platform, to managed detection and response (MDR)* and incident response services, we strive to make world-class cybersecurity accessible to every business.
All businesses must prioritize thwarting ransomware. By understanding how attackers leverage the ransomware playbook and taking practical steps to reduce risk, organizations can enhance their resilience against this pervasive threat.
Download the Cyber Threat Index 2025 today to explore the latest insights and learn how Coalition can help your organization stay secure in a rapidly changing digital world.
