Most ransomware incidents start with compromised perimeter security

A new report from cyber insurance provider Coalition shows 58 percent of ransomware claims in 2024 started with threat actors compromising perimeter security appliances like virtual private networks (VPNs) or firewalls.

Remote desktop products are the second-most exploited for ransomware attacks at 18 percent. The most common initial access vectors (IAVs) being stolen credentials (47 percent) and software exploits (29 percent). Vendors including Fortinet, Cisco, SonicWall, Palo Alto Networks, and Microsoft build the most commonly compromised products.

"While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors' ransomware playbook hasn't evolved all that much -- they're still going after the same tried and true technologies with many of the same methods," says Alok Ojha, Coalition's head of products, security. "This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident."

Exposed logins are also an underappreciated driver of ransomware risk. Coalition detected over five million internet-exposed remote management solutions and tens of thousands of exposed login panels across the internet. When applying for cyber insurance, over 65 percent of busineses were found to have at least one internet-exposed web login panel.

"This year’s report focuses on the most crucial security risks that under-resourced organizations should understand to better calibrate their defensive investments to bolster resilience," says Daniel Woods, senior security researcher at Coalition. "Calibration involves balancing security investment across vulnerabilities, misconfigurations, and threat intelligence while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That's why Coalition issues Zero-Day Alerts to help businesses, especially SMBs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritizing those posing the greatest risk."

You can get the full report from the coalition site.

Image credit: Benjawan Sittidech/Dreamstime.com