Cyber threats from VPNs lead ransomware incidents in 2025

Coalition's recent Cyber Threat Index for 2025 has highlighted that the majority of ransomware incidents in the previous year were initiated from compromised VPN devices.

The report identifies perimeter security appliances, such as virtual private networks (VPNs) and firewalls, as the primary points of entry for cyber threats, accounting for 58% of ransomware claims. Remote desktop products come next, associated with 18% of such incidents.

Alok Ojha, Head of Products, Security at Coalition, stated, "While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors' ransomware playbook hasn't evolved all that much—they're still going after the same tried and true technologies with many of the same methods. This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident."

The index predicts a significant rise in software vulnerabilities, forecasting that more than 45,000 will be published in 2025. This represents a 15% increase compared to the initial ten months of 2024, translating to nearly 4,000 new vulnerabilities each month.

Coalition has found that the most prevalent initial access vectors (IAVs) concerning ransomware claims remain stolen credentials (47%) and software exploits (29%). Products created by vendors such as Fortinet, Cisco, SonicWall, Palo Alto Networks, and Microsoft are cited as commonly compromised.

Internet-exposed logins are identified as a crucial yet often underestimated risk factor. Coalition reports the detection of over 5 million internet-exposed remote management solutions and thousands of exposed login panels online. Alarmingly, over 65% of businesses applying for cyber insurance have at least one internet-exposed web login panel.

Daniel Woods, Senior Security Researcher at Coalition, commented, "This year's report focuses on the most crucial security risks that under-resourced organisations should understand to better calibrate their defensive investments to bolster resilience. Calibration involves balancing security investment across vulnerabilities, misconfigurations, and threat intelligence while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That's why Coalition issues Zero-Day Alerts to help businesses, especially SMBs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritising those posing the greatest risk."

To mitigate risk, Coalition employs artificial intelligence, honeypots, and human expertise to prioritise high-risk vulnerabilities based on exploitation likelihood. As a result, policyholders are shielded from alert fatigue, receiving critical alerts for merely 0.15% of vulnerabilities documented in the first ten months of 2024, with 90% never receiving any alerts. This proactive alert system enabled Coalition clients to remediate over 32,000 vulnerabilities in the previous year.