Barracuda Networks, a cybersecurity company, has reported that 90% of ransomware incidents in 2025 exploited firewalls through unpatched software or vulnerable accounts. In the fastest case observed, the time from breach to encryption was three hours, reducing the opportunity for detection and response.
The findings are detailed in the Barracuda Managed XDR Global Threat Report, which outlines common attack methods and security gaps. Drawing on thousands of real-world incidents, the report shows that attackers frequently use legitimate IT tools, such as remote access software, and exploit unprotected devices. It also identifies risks linked to outdated encryption, disabled endpoint security and unusual login or privileged access activity.
Key findings:
- Ninety per cent of ransomware incidents involved the exploitation of a CVE (a classified software vulnerability) or a vulnerable account. Attackers were then able to gain network access and conceal malicious activity.
- The fastest case observed involved Akira ransomware and progressed from breach to encryption in three hours, limiting the window for defenders to respond.
- Sixty-six per cent of incidents in 2025 involved the supply chain or a third party, up from 45% in 2024, as attackers targeted weaknesses in third-party software.
- Ninety-six per cent of incidents involving lateral movement resulted in ransomware deployment. Lateral movement typically indicates that attackers have compromised an endpoint and are extending their access within a network.
- The most widely detected vulnerability was CVE-2013-2566, a flaw in an outdated encryption algorithm found in older systems, servers and embedded devices.
The report advises organisations and managed service providers to take practical steps to reduce risk, including identifying and addressing unpatched software and misconfigurations.
Merium Khalid, Director of SOC Offensive Security at Barracuda, said organisations — often operating with limited resources and multiple security tools — must protect identities, infrastructure and data against attacks that can develop rapidly. She noted that overlooked issues, such as dormant applications, unused accounts or misconfigured security features, can increase exposure.
The findings are based on Barracuda Managed XDR data collected during 2025, including more than two trillion IT events, nearly 600,000 security alerts and over 300,000 protected endpoints, firewalls, servers and cloud assets.
