According to Coalition’s Cyber Threat Index 2025, the majority of ransomware attacks in 2024 came via compromised login credentials. Most of these, about 58%, came from breached perimeter security appliances (firewall security vulnerabilities). We asked Matt Dowling of Surefire Cyber to break down this finding and offer some advice to SMEs about evolving cybersecurity strategies for mitigating ransomware risk.

We’ve seen a surge in ransomware attacks this year. What trends stand out to you the most in terms of how attackers are gaining initial access and how have ransomware groups evolved their tactics compared to previous years?

A lot of the tactics and techniques that are being leveraged today haven’t changed too much in the last couple of years. We’re still seeing lots of Virtual Private Networks (VPN) being leveraged by threat actors. Remote Desktop Protocol (RDP) and phishing is probably a bit less prevalent than it was. But for networks with remote access and without multifactor authentication, we see VPN and many external firewall security vulnerabilities being leveraged by ransomware actors.

How are attackers typically obtaining these credentials—through phishing, data leaks, brute force, or other methods?

These are often attacks of opportunity. Threat actors are always scanning the internet, and most mature organizations are going to have solid patch management, or they’re updating their firewalls. They have good controls around their credentials and multifactor authentication, which makes the larger organizations a bit harder to target. It’s that middle market where they have sizable environments and money, but maybe don’t have the security budget of the bigger companies out there. Typically we are seeing brute force entry or access through zero-day or other vulnerabilities. Phishing still happens but a lot less frequently—that’s something we see more often with business email compromise and wire fraud cases.

Are certain industries or organizations more vulnerable to credential-based ransomware attacks?

Healthcare is a big one because organizations have sensitive information that threat actors can leverage for double extortion. Education is another, typically because there is a lack of controls at these institutions. We are also seeing municipalities and manufacturing companies targeted frequently. The lack of cybersecurity maturity and the budgetary limitations in these industries or spaces make for a more attractive target.

What are the biggest security gaps in how organizations configure and secure their VPNs and firewalls?

We are seeing lots of Sonicwall and Fortinet firewalls being targeted right now for vulnerabilities related to their SSL VPNs. The biggest concerns we have for most organizations are a lack of multifactor authentication and inadequate patch management. If you are not doing those two things right, it’s not a matter of if you’ll be attacked—it’s when.

How do these attackers move laterally once inside a network after using stolen credentials?

When you’re connected through a VPN, it’s essentially the equivalent of plugging your computer into the wall of their office, but from anywhere in the world. At that point, they’ll start conducting reconnaissance or scanning, and then we see privilege escalation. Forensically, it’s very hard to prove a lot of that work is happening because many of the artifacts that would be required to prove it are on the threat actor’s machine.

From there, once the threat actor has sufficiently mapped out the network and elevated themselves to a level of permissions that can get them onto other systems, they’re going to pivot over to the servers in most instances, especially sensitive servers, backup servers, or file servers that have data they want to exfiltrate. The ransomware lateral movement in these attacks is very quick—often an active dwell time of only a few days.

Have you seen an increase in access brokers selling stolen VPN, firewall, and RDP credentials on the dark web?

We do see access broker activities. Typically we will see the credentials first compromised and maybe some initial scanning and then no real activity for a while. Then all of a sudden it picks up very quickly and when an encryption event occurs, we can surmise the credentials were sold. For access brokers, the VPN method is an easy access route to sell.

What are the most effective steps organizations can take to prevent credential-based ransomware attacks?

As I mentioned, multifactor authentication is key, especially around account identity management. Something that I think doesn’t get talked about enough anymore is the principle of least privilege. You should only allow remote access to the people that need it most and if they only need it temporarily, enable and disable it accordingly. Don’t give anyone in your organization VPN access unless they need it.

Are there any emerging security technologies or strategies that can help detect and block unauthorized remote access?

Too often, perimeter or authentications to VPN and other remote services aren’t actively monitored. Usually, when we come into an incident, organizations that have been compromised are not monitoring the logs for the firewall, and they’re not offloading them anywhere.

We recommend a Managed Detection and Response (MDR) solution with a vendor who can monitor your firewall and an internal security tool such as an Endpoint Detection and Response (EDR) product, that will detect threats as they’re actively being deployed internally. An MDR that integrates with your firewall will pull those logs, analyze them, and look for anomalous logins, weird locations, and weird authentication patterns such as failed logins to help you stop a threat actor in their tracks. Most of my pre-ransomware cases where a threat actor has been caught prior to the execution of the ransomware had EDR widely deployed and monitoring in place for anomalous activity on the network.

If an organization suspects their credentials have been compromised, what immediate actions should they take?

Immediately shut down your SSL VPN by disabling it on the firewall. That will effectively kick out the remote access method. And you should activate your incident response plan. Call your insurance carrier, tell them you have a potentially compromised VPN. You may need an investigation to identify whether or not the threat actor had moved laterally and look for any signs of persistence beyond the VPN access. If you can’t be sure the threat is contained, a business decision should be made on whether or not to disable the internet completely on the firewall.

Do you anticipate these attacks are here to stay?

Unfortunately, given the remote nature of how the world operates nowadays, I don’t see this type of attack pattern going away. Organizations may get better at securing their VPNs through multifactor authentication, but the bad actors will find a way to accomplish a multifactor authentication bypass and allow that remote access. So while I suspect organizations will get better over time at protecting against these threats, I believe the perpetrators will evolve as well.

Need help creating your cybersecurity game plan? NetDiligence can help! Learn about NetDiligence^® cyber risk solutions, including Breach Plan Connect^®, an on-the-go incident response app that makes creating and customizing your incident response plan fast, easy, and affordable. Start your free trial today and stay prepared to face modern day cyber threats!