Ransomware remains a persistent threat for businesses, but it’s rarely innovative, says a new report by Coalition, a cyber insurance and security provider.
That should be good news for insurers and brokers.
Most ransomware claims in 2024 started with threat actors compromising perimeter security appliances (58%), like virtual private networks (VPNs) or firewalls, according to Coalition’s Cyber Threat Index 2025.
Remote desktop products — the type that IT service providers use to access employees’ computers remotely — were the second-most (18%) exploited technology for ransomware attacks.
“These products provide a remote user with cursor-level control over a system, which can be useful for IT support to resolve issues without requiring physical access to a PC. However, the same functionality allows threat actors to conduct malicious activity, such as downloading and deploying ransomware code,” Coalition says.
Email was the third most commonly exploited technology.
Points of entry
As for how these attacks are orchestrated, compromised credentials were the most common attack vector, representing almost half (47%) of known initial attack vectors (IAV) in ransomware incidents.
These compromised (i.e., stolen) credential attacks typically targeted remote desktop products and VPNs, thereby giving threat actors privileged access to internal systems and networks.
Coalition’s investigators were sure about 42% of credentials that were compromised were due to “brute-force password guessing”.
“This approach was visible in activity logs that show thousands of unsuccessful authentication attempts shortly before compromise,” Coalition writes. “In contrast, investigators cannot always confidently identify how credentials that were not brute-forced were compromised. When threat actors steal credentials via phishing or info-stealing malware, they make a single attempt to log in, just like a legitimate user.”
Software exploits, where threat actors take advantage of a vulnerable system, were the second most commonly known IAV.
Among its investigations, Coalition found evidence that multiple softwares — Ivanti, Fortinet, and Cisco, Microsoft’s Exchange Email Server, and open-source Linux web servers — were exploited for their vulnerabilities.
Social engineering was the third-most common IAV, and bad actors usually used email to communicate with victims.
Tactics to exploit victims included: “manipulating employees into installing remote access technology and providing access to a threat actor, tricking employees into clicking a malicious link that installed malware on the device, impersonating legitimate software so employees inadvertently installed malware, phishing employees into revealing credentials.”
The remaining attack vectors included exploitation of misconfigured Amazon Web Service environments, using Google advertisements for a drive-by-download attack, and supply chain attacks.
Moving forward
The Canadian government has listed cyber threats as a national security threat.
Yet, threat actors aren’t doing anything new.
“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much — they’re still going after the same tried and true technologies with many of the same methods,” commented Alok Ojha, Coalition’s head of products and security.
“This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack.”
One mitigation method is through continuous attack surface monitoring, which detects possible vulnerabilities.
Beyond that, however, small-to-medium sized businesses face a problem of being under-resourced. And, given that businesses cannot remove all login interfaces, software and internet connectivity that could make them vulnerable, businesses could remain exposed.
“The decision burden will worsen with a forecast of over 45,000 vulnerabilities published in 2025,” Coalition writes.
“[G]reater accountability — with the insurance industry leading the change in forthcoming initiatives — will lead vendors to take more responsibility for securing their software products. However, this structural shift will take time.”
In the meantime, companies must continue to monitor their exposures, fix their vulnerabilities, educate employees about common social engineering tactics, and implement 24/7 system monitoring, Coalition says.
Feature image by iStock.com/Just_Super
