Verizon discovers spike in ransomware and exploited vulnerabilities
Cybercriminals and state-sponsored threat groups exploited vulnerabilities and initiated ransomware attacks with vigor last year, escalating the scope of their impact by hitting more victims and outmaneuvering defenses with speed.
The rate of ransomware detected in data breaches jumped 37%, occurring in 44% of the 12,195 data breaches reviewed in Verizon’s 2025 Data Breach Investigations Report released Wednesday. Researchers observed the presence of ransomware in 32% of data breaches in last year’s report.
Verizon’s research underscores the twists and turns of cybercriminal activity and its wide-reaching impact on organizations. “We see less payment activity,” Alex Pinto, associate director of threat intelligence at Verizon Business, told CyberScoop, “but we don’t see it slowing down.”
While ransom payments are down — 64% of victim organizations did not pay the ransoms, compared to 50% two years ago — the prevalence of ransomware continues to grow.
The median amount paid to ransomware groups is also down, sliding from $150,000 in 2023 to $115,000 in 2024, researchers found that small- to medium-sized businesses have been hit particularly hard. While ransomware was traced to 39% of breaches impacting larger organizations, it occurred in 88% of breaches on SMBs, according to Verizon.
“The type of attack that ransomware is, is really primed for expanding into the mid-market,” Pinto said.
Verizon’s latest annual report covers incidents that occurred between Nov. 1, 2023 and Oct. 31, 2024. The company is fairly confident it’s aware of the majority of data breaches resulting from ransomware attacks due to readily available data it collects from data leak sites. The majority of those data leak site claims are legitimate, according to Verizon and its research partners.
Exploited vulnerabilities as an initial access vector for breaches also surged last year, nearly reaching parity with credential abuse. Verizon reported a 34% year-over-year increase in exploited vulnerabilities, representing 20% of all initial access vectors across data breaches.
“You can draw a straight line from this growth in vulnerabilities, especially vulnerabilities, to the growth of usage of vulnerabilities in ransomware,” Pinto said.
The jump in exploited vulnerabilities was fueled, in part, by zero-day exploits targeting edge devices and virtual private networks. “The percentage of edge devices and VPNs as a target on our exploitation of vulnerabilities action was 22%, and it grew almost eightfold from the 3% found in last year’s report,” Verizon said in the report.
Researchers noted that organizations only patched or fully remediated about 54% of edge device vulnerabilities throughout the year, and these efforts took a median of 32 days to accomplish.
Network edge devices are among attackers’ most preferred intrusion points into enterprise networks. Attackers have exploited vulnerabilities in firewalls, VPNs and routers from Ivanti, Palo Alto Networks, Cisco, Fortinet and others at scale since 2024.
“This tactic has been leveraged successfully by both ransomware operators and espionage-motivated threat actors with great success,” Verizon said in the report. “In fact, exploitation of vulnerabilities as an initial access vector for espionage-motivated breaches goes as high as 70% in the analyzed time period.”
Verizon also found a significant jump in the number of data breaches involving third-party vendors. “Although the involvement of the human element in breaches remained roughly the same as last year, hovering around 60%, the percentages of breaches where a third party was involved doubled, going from 15% to 30%,” researchers said in the report.
“There are so many different aspects on how specific relationships with vendors can add to the risks up to some bad security outcomes,” Pinto said.
Overall, the increases in ransomware, exploited vulnerabilities and third-party risk don’t necessarily reflect a shift in attackers’ tactics, according to Pinto. “I think they’re just maximizing their opportunities,” he said. “It’s just more stuff we have to focus on at the end of the day”
Verizon’s report analyzed the highest number of confirmed breaches to date with attacks impacting victims from 139 countries.
