Cybercriminals, including state-sponsored actors, aggressively capitalized on vulnerabilities in the past year, significantly amplifying the impact of ransomware attacks by targeting a broader range of victims and circumventing defenses with alarming efficiency. According to Verizon’s recently released 2025 Data Breach Investigations Report, the detection of ransomware in data breaches surged by 37%, now appearing in 44% of the 12,195 incidents examined. This marks a notable rise from the previous year’s report, where only 32% of breaches involved ransomware.
The findings from Verizon highlight the evolving landscape of cybercrime and its profound effects on various organizations. Alex Pinto, associate director of threat intelligence at Verizon Business, pointed out to CyberScoop that while there has been a decline in ransom payments—64% of victim organizations chose not to pay the ransom compared to 50% two years ago—the occurrence and impact of ransomware attacks continue to rise. The median ransom paid also decreased, dropping from $150,000 in 2023 to $115,000 in 2024, with small- to medium-sized businesses (SMBs) experiencing a disproportionate impact; ransomware was linked to 88% of breaches involving SMBs, in contrast to 39% for larger enterprises.
Verizon’s report, which encompasses data from incidents occurring between November 1, 2023, and October 31, 2024, indicates that the majority of data breaches due to ransomware are well-monitored due to data collected from leak sites, many of which are deemed credible. Exploited vulnerabilities emerged as a prominent vector for breaches, nearly equaling credential abuse; there was a 34% year-over-year increase in this category, accounting for 20% of all initial access methods reported.
Pinto emphasized the significant correlation between the growth of exploited vulnerabilities and their use in ransomware attacks, stating, “You can draw a straight line from this growth in vulnerabilities to the growth of usage of vulnerabilities in ransomware.” Much of this increase can be attributed to the exploitation of zero-day vulnerabilities targeting edge devices and virtual private networks (VPNs). The report noted that the targeting of these devices surged dramatically, from 3% in the previous year to 22% in the current analysis, illustrating a shift in attacker focus.
Despite efforts to remediate vulnerabilities, organizations effectively patched or fully addressed only about 54% of detected edge device vulnerabilities over the year, with these patching processes taking a median of 32 days. Attackers have increasingly exploited vulnerabilities found in firewalls, VPNs, routers, and other essential network infrastructure from major vendors like Ivanti, Palo Alto Networks, Cisco, and Fortinet. This trend has proven advantageous not only for ransomware operators but also for threat actors motivated by espionage, with exploitation of vulnerabilities involved in as much as 70% of espionage-related breaches.
Verizon’s findings also identified a significant increase in data breaches attributable to third-party vendors, with vendor-related breaches doubling from 15% to 30%. While the involvement of human error in breaches remained stable at around 60%, this growing third-party risk adds a crucial layer of complexity to cybersecurity considerations. Pinto highlighted the multifaceted risks associated with vendor relationships, emphasizing the need for businesses to stay vigilant against potential security breaches stemming from external partnerships.
Overall, the ongoing trends in ransomware incidents, escalating exploitation of vulnerabilities, and rising third-party risks reflect a concentrated effort by cybercriminals to maximize their opportunities rather than a fundamental shift in their tactics. As noted by Pinto, the current landscape presents additional challenges for organizations to address in an already complex cybersecurity environment. Verizon’s report analyzed the largest dataset of confirmed breaches to date, impacting victims across 139 countries, underscoring the global nature of these cyber threats.
In this context, potential MITRE ATT&CK tactics likely utilized in these attacks may include initial access through exploitation of vulnerabilities, persistence through deploying ransomware, and possibly privilege escalation during the attack process. Understanding these frameworks can help businesses fortify their defenses against such ever-evolving threats.
