Barracuda Networks’ Managed XDR Global Threat Report, analysing two trillion IT events, nearly 600,000 security alerts, and 300,000 protected endpoints, firewalls, servers, and cloud assets from 2025, reveals 90 percent of ransomware incidents exploited firewalls through unpatched software vulnerabilities or compromised accounts. The fastest progression from initial breach to full encryption occurred in just three hours, underscoring attackers’ compressed timelines. One in ten detected vulnerabilities featured known public exploits, led by CVE-2013-2566—a 2013 flaw in outdated encryption persisting in legacy servers, embedded devices, and unmaintained applications.
Lateral Movement and Supply Chain Vectors Dominate
Ninety-six percent of incidents involving lateral movement—where attackers pivot from initial footholds to high-value targets—ended in ransomware deployment, representing the most reliable red flag for unfolding attacks. Supply chain and third-party compromises surged to 66 percent from 45 percent year-over-year, as adversaries exploit vendor software weaknesses for initial access and persistence. Common entry points include unprotected endpoints, rogue remote access tools, disabled endpoint security, and misconfigured protections.
Unusual login patterns and unauthorised privilege escalations consistently precede ransomware execution, providing defenders narrow detection windows amid resource constraints and tool fragmentation.
Attackers Exploit Overlooked Infrastructure Gaps
Merium Khalid, Barracuda’s Director of SOC Offensive Security, highlighted that single oversights—undisabled departed user accounts, dormant unpatched applications, or bypassed security features—enable attacker success against even sophisticated environments. The report details how legitimate IT tools facilitate stealthy operations until lateral movement forces visibility.
Autonomous XDR Counters Rapid Evolution
Barracuda advocates integrated, AI-driven autonomous security platforms with managed expertise to consolidate detection across identities, assets, and data. The findings emphasise proactive vulnerability management, continuous behavioural monitoring, and rapid response orchestration as essential defences against ransomware’s accelerating sophistication.
