The majority of ransomware claims submitted in 2024 began with threat actors compromising perimeter security, such as virtual private networks or firewalls. Remote desktop products were second-most (18%) exploited for ransomware attacks, according to insurer Coalition’s Cyber Threat Index 2025, published this week.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much – they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, Coalition’s head of products and security.

Coalition predicts the total number of published software vulnerabilities will increase to over 45,000 in 2025, a rate of nearly 4,000 per month and a 15% jump over the first 10 months of 2024.

Across all ransomware claims, the most common initial access vectors were stolen credentials (47%) and software exploits (29%). Vendors such as Fortinet, Cisco, SonicWall, Palo Alto Networks and Microsoft build the most commonly compromised products.

Exposed logins are an overlooked driver of ransomware risk. Coalition detected over 5 million internet-exposed remote management solutions and tens of thousands of exposed login panels across the internet. When applying for cyber insurance, most businesses (at least 65%) said they had at least one internet-exposed web login panel.

“Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident,” Ojha added.

---