More than half of ransomware claims in 2024 started with threat actors compromising perimeter security appliances, according to a new report from Coalition.
In its Cyber Threat Index 2025, the insurance provider reported that 58% of claims began with such compromises.
UK-based IT services company Netcentrix defines perimeter security as “a set of security measures designed to stop external threats from entering your network.” These include firewalls, intrusion protection and detection systems and virtual private networks (VPNs).
Coalition found that VPNs and firewalls were the first and fourth most exploited technologies used for initial access last year.
The most commonly compromised products fall under a more general category of perimeter security appliances, Coalition said in the report, explaining that these devices “are often built into an organization’s physical networking infrastructure, typically offering both VPN and firewall functionality.” Vendors such as Fortinet, Cisco, SonicWall, Palo Alto Networks and Microsoft build these products.
Remote desktop software was the second-most exploited technology for ransomware attacks, and email ranked third.
In addition to analyzing what technology was accessed in ransomware claims, Coalition also studied how that technology was compromised. This was defined in the report as a ransomware attack vector.
The threat index reported that compromised credentials were the most common attack vector; they represented 47% of known initial access vectors (IAVs) in ransomware incidents. Such attacks typically targeted remote desktop protocol and VPNs, Coalition found, “which provide threat actors with privileged access to internal systems and networks,” the report said.
Related: Resilience Reports Third-Party Risk Involved in 31% of Cyber Claims
Coalition reported that software exploits were the second most common known IAV. These exploits typically take advantage of a vulnerable system, the report said. They can range from simple commands that exploit a single vulnerability to advanced espionage software that chains together multiple vulnerabilities, Coalition reported.
“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much — they’re still going after the same tried-and-true technologies with many of the same methods,” said Alok Ojha, Coalition’s head of products, security.
“This means that businesses can have a reliable playbook, too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”
Coalition forecasted that the total number of published software vulnerabilities will increase to over 45,000 in 2025 — a rate of nearly 4,000 per month and a 15% jump over the first 10 months of 2024.
“SMBs lack both the resources to patch a high number of vulnerabilities — requiring dedicated IT staff and testing infrastructure — as well as the experience to focus on the most pressing vulnerabilities,” the report said.
Coalition’s said its security recommendations are calibrated using data from its 360-degree perspective on cyber risk. Sources include digital forensics investigations, data collected from an internet-wide view from scanning every IPv4 address, proprietary AI models to analyze vulnerabilities and login panels and actuarial evidence from cyber insurance claims.
Topics
Cyber
Claims
Interested in Claims?
Get automatic alerts for this topic.
