Ninety percent of ransomware incidents in 2025 exploited firewalls through unpatched software or a vulnerable account, with the fastest case taking just three hours to progress from breach to encryption, according to a report published today by cybersecurity provider Barracuda Networks Inc.
The findings, detailed in the Barracuda Managed XDR Global Threat Report, are based on Barracuda’s dataset of more than 2 trillion IT events collected during 2025, nearly 600,000 security alerts and more than 300,000 protected endpoints, firewalls, servers, cloud assets and more, the company said.
Of all the ransomware incidents observed, 90 percent exploited firewalls through a CVE (classified software vulnerability) or vulnerable account. Attackers typically use this to gain access and control over a network and bypass its protection, hiding malicious traffic and activity. The fastest incident involved Akira ransomware. A compressed timeline, like this three-hour incident, can leave defenders with minimal opportunity to detect and respond, officials said.
In addition, one in 10 detected vulnerabilities had a known exploit, often tied to supply chain software. Of those logged, 66 percent involved the supply chain or a third party, up from 45 percent in 2024.
Interestingly, the most widely detected vulnerability dates to 2013. CVE-2013-2566 is a flaw in an outdated encryption algorithm that can be found in legacy systems such as old servers or embedded devices or applications, the company said.
In addition, 96 percent of incidents involving lateral movement ended with the release of ransomware. Lateral movement marks the moment when attackers hiding on an unprotected endpoint break cover, officials said, noting that this represents the biggest red flag of an unfolding ransomware attack.
The report discusses how attackers target organizations and the security gaps that put systems at risk. It also includes practical steps organizations and MSPs can take to address and reduce risk.
“Organizations and their security teams—especially if that ‘team’ is a single IT professional—face an immense challenge. With limited resources and fragmented security tools, they must safeguard identities, assets and data from an evolving threat landscape and attacks that can unfold in a matter of hours,” said Merium Khalid, director, SOC offensive security at Barracuda. “What makes targets vulnerable is often easy to overlook—a single rogue device, an account that wasn’t disabled when someone left, a dormant application that hasn’t been updated, or a misconfigured security feature. Attackers only need to find one to succeed. An integrated, AI-powered and autonomous security solution with the management and support taken care of by experts can make all the difference.”
The 23-page report is available for download from the Barracuda website.
