Compromised credentials are the leading cause of cyberattacks for the second year in a row. The Sophos Active Adversary Report shows that in 56 percent of the analyzed attack cases, cybercriminals possessed stolen login credentials.
The Sophos Active Adversary Report 2025 analyzes the behavior and techniques used by cybercriminals from over 400 actual attacks conducted by the Managed Detection and Response (MDR) team and incident response specialists in 2024. Attackers primarily gained access to networks through external remote services (56 percent of all MDR and IR cases) by exploiting valid accounts, including edge devices such as firewalls and VPNs.
The combination of external remote services and valid accounts aligns with the main causes of attacks. For the second year in a row, compromised credentials were the primary cause of attacks (41 percent). This was followed by exploitation of security vulnerabilities (22 percent) and brute-force attacks (21 percent).
Pace of attacks increases
When analyzing MDR and IR investigations, the Sophos X-Ops team specifically considered ransomware, data exfiltration, and data extortion cases to determine how quickly cybercriminals move through the different stages of an attack within an organization. For these three types of cases, the average time between the initiation of an attack and data exfiltration was just 73 hours, or approximately three days. Furthermore, the average time from exfiltration to detection of the attack was just 2,7 hours.
"Passive security is no longer sufficient," said John Shier, Field CISO at Sophos. "While prevention is important, rapid response is crucial. Organizations must actively monitor their networks and respond quickly to any anomalies they observe. Coordinated attacks by professional cybercriminals also require coordinated defense. For many organizations, this means a combination of business-specific knowledge and expert-led detection and response. Our report confirms that organizations with active monitoring detect attacks faster and achieve better defense results."
Results of the Sophos Active Adversary Report 2025
Attackers need an average of just eleven hours to take over the system
On average, only eleven hours passed between a cybercriminal's first action and their first (often successful) attempt to penetrate Active Directory—one of the most critical elements in any Windows network. If successful, attackers can easily take control of the entire organization.
Old acquaintances among the most common ransomware groups
In the cases investigated by Sophos, Akira was the most prevalent ransomware group in 2024, followed by Fog and LockBit – even though LockBit was taken down earlier this year in a concerted effort by law enforcement agencies.
MDR as a decisive factor for the length of stay of criminals
Overall, dwell time, the time from the onset of an attack to its detection, decreased from four to two days in 2024. This is primarily due to the inclusion of MDR cases in the dataset. The dwell time for IR cases remained stable at four days for ransomware attacks and 11,5 days for non-ransomware cases. Among the MDR cases studied, the dwell time for ransomware attacks was three days and for non-ransomware cases only one day. This suggests that MDR teams are able to detect and respond to attacks more quickly.
Ransomware groups work overnight
In 2024, 84 percent of ransomware binaries were distributed outside of the targets' normal local working hours.
Remote Desktop Protocol vulnerability
The Remote Desktop Protocol (RDP) was involved in 84 percent of MDR/IR cases, making it the most frequently abused Microsoft tool.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.