A new report from Barracuda reveals that 90 percent of ransomware incidents in 2025 exploited firewalls—either through unpatched software or poorly protected user accounts. The fastest recorded attack moved from breach to full encryption in just three hours. The findings come from the “Barracuda Managed XDR Global Threat Report,” which examines how cybercriminals operate and highlights the weaknesses that leave organizations particularly exposed.
Based on thousands of real incidents, the report shows how attackers leverage legitimate IT tools—such as remote access software—to exploit unprotected devices. It also calls attention to risks from outdated encryption, disabled client security features, and abnormal behaviors tied to logins or elevated access rights.
“Organizations and their security teams—especially those relying on a single IT administrator—face immense challenges. With limited resources and fragmented security solutions they must protect identities, assets and data against rapidly evolving threats where attacks can succeed within hours,” says Merium Khalid, Director, SOC Offensive Security at Barracuda.
Key findings from the report
- 90 percent of ransomware incidents exploited firewalls via known vulnerabilities (CVEs) or weak accounts. By compromising firewalls, attackers can gain control of networks and conceal their activity behind these devices.
- The fastest attack used Akira ransomware and took three hours from initial intrusion to encryption, leaving defenders with very limited time to respond.
- One in ten discovered vulnerabilities had a known exploit. Cybercriminals continue to weaponize software flaws—often in the supply chain—underscoring the importance of timely patching.
- The most frequently observed vulnerability dated back to 2013. CVE‑2013‑2566 affects an outdated encryption algorithm still present in some legacy servers, embedded systems, and applications.
- 96 percent of incidents that involved lateral movement ended in ransomware. Lateral movement within a network is a clear sign that an attack is escalating.
- 66 percent of all incidents were linked to the supply chain or third-party vendors—a notable rise from 45 percent the previous year.
“What often makes an organization vulnerable are overlooked, simple issues: an unmanaged device without protection, an account not disabled after an employee leaves, an out-of-date application, or a misconfigured security setting. Attackers only need a single weak point. An integrated, AI-driven and more autonomous security solution—operated by experienced professionals—can make a decisive difference,” Merium Khalid concludes.
About the study
The findings are drawn from the extensive telemetry collected by Barracuda Managed XDR during 2025: more than two trillion IT events, nearly 600,000 security alerts, and over 300,000 protected endpoints, firewalls, servers and cloud resources.
Read the report»