Coalition: 58% of ransomware incidents start with compromised VPN devices

By Michael Loney

March 12 - (The Insurer) - Most ransomware claims in 2024, 58%, started with threat actors compromising perimeter security appliances such as virtual private networks or firewalls, according to Coalition’s Cyber Threat Index 2025.

Firewalls, which control connections by blocking network addresses associated with malicious activity, were the first most commonly exploited technology used for initial access, while VPNs were fourth.

A VPN is designed to provide authenticated users with elevated access to internal systems.

Remote desktop products were the second-most exploited vector for ransomware attacks at 18%, according to Coalition.

These products provide a remote user with cursor-level control over a system, which can be useful for IT support to resolve issues. But they also allow threat actors to conduct malicious activity, such as downloading and deploying ransomware code, which was the case in 23% of the incidents in Coalition’s sample.

Microsoft’s Remote Desktop Protocol was compromised in almost 80% of the incidents in this category.

The Coalition report details cybersecurity trends from 2024 and emerging threats businesses should be aware of in 2025.

The cyber insurtech said that across all ransomware claims the most common initial access vectors were stolen credentials at 47% and software exploits at 29%.

Compromised credential attacks typically targeted RDP and VPNs, which provide threat actors with privileged access to internal systems and networks. Investigators observed brute-force password guessing in 42% of these incidents.

“This approach was visible in activity logs that show thousands of unsuccessful authentication attempts shortly before compromise,” the report said.

Software exploits typically take advantage of a vulnerable system. These range from simple commands that exploit a single vulnerability to advanced espionage software that chains together multiple vulnerabilities.

Coalition said that vendors such as Fortinet, Cisco, SonicWall, Palo Alto Networks and Microsoft build the most commonly compromised products, which fall under a more general category of perimeter security appliances.

“These devices are often built into an organization’s physical networking infrastructure, typically offering both VPN and firewall functionality,” the report said.

Coalition detected over 5 million internet-exposed remote management solutions and tens of thousands of exposed login panels across the internet.

When applying for cyber insurance, most businesses, at more than 65%, had at least one internet-exposed web login panel.

Coalition expects the total number of published software vulnerabilities will increase to over 45,000 in 2025, a rate of nearly 4,000 per month and a 15% jump over the first 10 months of 2024.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much—they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, Coalition’s head of products, security.

“This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack,” Ojha added.