Sophos has released its 2025 Active Adversary Report, offering a comprehensive analysis of attacker behavior and techniques based on over 400 incidents investigated through its Managed Detection and Response (MDR) and Incident Response (IR) services during 2024. A key takeaway from the report is that attackers are primarily gaining initial access to networks by exploiting external remote services—such as firewalls and VPNs—while leveraging valid user accounts. This method accounted for 56% of all cases across MDR and IR investigations.

The report found that compromised credentials remained the top root cause of attacks for the second consecutive year, responsible for 41% of cases. This was followed closely by exploited vulnerabilities (21.79%) and brute-force attacks (21.07%). These findings highlight the critical importance of securing external-facing systems and user authentication mechanisms, as these avenues continue to be the most exploited by cybercriminals.

Another alarming insight from the report is the accelerated pace of cyberattacks. Sophos’ X-Ops team discovered that, in ransomware, data exfiltration, and data extortion cases, the median time between the start of an attack and the exfiltration of data was just 72.98 hours—barely over three days. Even more concerning, organizations typically detected the attack only 2.7 hours after exfiltration, underscoring the importance of rapid detection and response capabilities.

Sophos also reported that attackers are moving quickly to take control of key systems. The median time from initial access to the first attempt at breaching Active Directory—a critical component in most Windows environments—was just 11 hours. Once compromised, Active Directory allows attackers to more easily navigate and control organizational networks.

Among ransomware threats, the most frequently encountered group was Akira, followed by Fog and LockBit, despite a multi-national takedown of LockBit earlier in 2024. In terms of dwell time—the duration between an attack’s start and its detection—the report observed a notable decrease from four days to two days in 2024, largely due to the growing effectiveness of MDR services. Specifically, in MDR cases, ransomware was detected within three days, while non-ransomware threats were identified in just one day. However, dwell time remained longer in IR cases, with four days for ransomware and 11.5 days for non-ransomware incidents.

The report also noted that 83% of ransomware binaries were deployed outside of normal business hours, suggesting that attackers deliberately time their actions to avoid immediate detection. Remote Desktop Protocol (RDP) continues to be the most abused Microsoft tool, appearing in 84% of all MDR and IR cases, further emphasizing the need for stronger access control and monitoring of remote access services.

In response to these findings, Sophos recommends organizations take several proactive measures. These include closing exposed RDP ports, implementing phishing-resistant multifactor authentication (MFA), promptly patching vulnerable systems—especially internet-facing devices—deploying Endpoint Detection and Response (EDR) or MDR tools with 24/7 monitoring, and developing as well as regularly testing a robust incident response plan.

John Shier, Field CISO at Sophos, emphasized that “passive security is no longer enough” and urged businesses to move toward proactive threat detection and response. He stressed that rapid, coordinated defenses are essential to counter the growing sophistication and speed of modern cyberattacks.