Most ransomware claims in 2024 started with compromised perimeter security appliances (58 percent), like virtual private networks (VPNs) or firewalls. Remote desktop products were second-most (18 percent) exploited, according to global insurance provider Coalition’s Cyber Threat Index 2025 report.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much—they’re still going after the same tried and true technologies with many of the same methods,” commented Alok Ojha, Coalition’s head of Products, Security. “This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

The total number of published software vulnerabilities will increase to over 45,000 in 2025, a rate of nearly 4,000 per month and a 15 percent jump over the first 10 months of 2024, according to the report.

Across all ransomware claims, the most common initial access vectors (IAVs) were stolen credentials (47 percent) and software exploits (29 percent).

The most commonly compromised products were built by the following vendors: Fortinet, Cisco, SonicWall, Palo Alto Networks, and Microsoft.

Exposed logins are an underappreciated driver of ransomware risk, the report found.

Coalition detected over 5 million internet-exposed remote management solutions and tens of thousands of exposed login panels across the internet.

When applying for cyber insurance, most businesses (65 percent+) had at least one internet-exposed web login panel.

“This year’s report focuses on the most crucial security risks that under-resourced organizations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, senior security researcher at Coalition. “Calibration involves balancing security investment across vulnerabilities, misconfigurations, and threat intelligence while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMBs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritizing those posing the greatest risk.”

To read Coalition’s full findings and download the report, visit: https://web.coalitioninc.com/DLC-Cyber-Threat-Index-2025.html.