This week, Coalition released its “Cyber Threat Index 2025," detailing insights on cybersecurity trends from 2024 and emerging threats businesses should be aware of in 2025. It found that most ransomware claims in 2024 started with threat actors compromising perimeter security appliances (58%), like virtual private networks (VPNs) or firewalls. Remote desktop products were second-most likely (18%) to be exploited for ransomware attacks.

This report focused on ransomware because its impact extends far beyond initial victims. It disrupts supply chains, violates privacy rights and undermines societal resilience. The report unpacked ransomware across multiple dimensions, such as which attack vectors are exploited to gain access to networks and deploy ransomware, the most common misconfigurations and vulnerabilities that expose organizations to attack, and how businesses should prioritize and remediate these security issues.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors' ransomware playbook hasn't evolved all that much—they're still going after the same tried and true technologies with many of the same methods," said Alok Ojha, head of products, security, Coalition.

“This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack," Ojha said. “Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident."

VPNs and firewalls ranked as the first and fourth most exploited technologies for initial access. Firewalls work by blocking network addresses linked to malicious activity, while VPNs grant authenticated users enhanced access to internal systems—making them prime targets for attackers.

Remote desktop software tools, the second-most exploited technology, allow remote users to control a system as if they were physically present—great for IT support, but equally useful for cybercriminals. Nearly a quarter (23%) of reported incidents involved attackers using remote desktop software to deploy ransomware.

Email was the third-most exploited entry point, largely due to social engineering attacks—coincidentally, the third most common attack vector overall.

The top attack vector? Compromised credentials, accounting for almost half (47%) of known initial access points in ransomware cases. Attackers primarily targeted remote desktop software and VPNs, which offer privileged access to internal networks. In nearly 42% of these cases, brute-force password guessing was detected.

Software exploits ranked as the second-most common initial access method. These range from simple, single-vulnerability exploits to sophisticated espionage software that chains multiple vulnerabilities together to breach systems.

“Businesses with large security budgets might be able to use this information to hire security experts to map these attack vectors to vulnerabilities and misconfigurations in the defender's network," according to the report. “However, many [small and midsize businesses] lack the budget to do so and need guidance on which misconfigurations and vulnerabilities threat actors are exploiting."

Will Jones is IA editor-in-chief.