One cybersecurity firm’s user base dataset showed 66% incidents involved supply chain or third parties, among other trends.

Based on data analysis of more than two trillion cyber events collected during 2025, comprising nearly 600,000 security alerts, and more than 300,000 protected endpoints, firewalls, servers, and cloud assets, a cybersecurity firm has released a report on attacker targeting-methods and organizational security exposures to the media.

First, 90% of ransomware incidents in the data set involved exploited firewalls: either through a classified software vulnerability or vulnerable account.

Second, the fastest ransomware attack observed in the data had progressed from breach to encryption in three hours.

Other findings

Third, 66% of incidents involved the supply chain or a third party, compared with 45% in the firm’s 2024 data. Also:

• 96% of incidents involving lateral movement ended with the release of ransomware
• 100% of security incidents involved at least one unprotected or rogue endpoint
• 1 in 10 detected vulnerabilities had a known exploit
• Top ransomware families detected included Akira, Qilin, RansomHub, and Cactus
• The most detected vulnerability dated from 2013 (CVE-2013-2566)
• 44% of server security breaches involved the clearing of activity logs
• 34% of cases involving fileless malware used PowerShell as the primary execution method
• 44% of firewall-related incidents involved password-spraying
• The average severity score of detected vulnerabilities was 5.9
• 42% of suspicious privilege escalations added users to high-risk Windows groups

*The findings derived from Barracuda’s customer base dataset for 2025. No specific sample sizes for surveyed decision-makers or respondent cohorts were detailed; data reflected detections from protected customer environments rather than self-reported practices.