Barracuda: Firewall Exploits Drive 90% of Ransomware Incidents

Ninety percent of ransomware incidents in 2025 reportedly exploited firewalls via unpatched software or a vulnerable account, according to Barracuda Networks’ newly published Barracuda Managed XDR Global Threat Report.

Outdated tools and remote access abuse heighten ransomware exposure

According to the cybersecurity company, the findings show how attackers exploit legitimate IT tools such as remote access software and unprotected devices to carry out their attacks. 

The report also underscores the risks of outdated encryption and disabled endpoint security, along with common warning signs like unusual logins or suspicious privileged-access activity.

“Organizations and their security teams — especially if that ‘team’ is a single IT professional — face an immense challenge. With limited resources and fragmented security tools, they must safeguard identities, assets and data from an evolving threat landscape and attacks that can unfold in a matter of hours,” said Merium Khalid, director of SOC offensive security at Barracuda. 

“What makes targets vulnerable is often easy to overlook — a single rogue device, an account that wasn’t disabled when someone left, a dormant application that hasn’t been updated, or a misconfigured security feature. Attackers only need to find one to succeed. An integrated, AI-powered and autonomous security solution with the management and support taken care of by experts can make all the difference.”

XDR data from 2 trillion events reveals firewall-driven ransomware trend

Some key findings from the report include:

• 90 percent of ransomware incidents exploited firewalls through a CVE or vulnerable account.
• The fastest ransomware case observed involved Akira ransomware and took just three hours from breach to encryption.

• One in 10 detected vulnerabilities had a known exploit, many tied to supply chain software.
• 96 percent of incidents involving lateral movement ended with the release of ransomware, indicating how fast attacks can escalate.
• The most widely detected vulnerability dates back to 2013 (CVE-2013-2566) and involves a flaw tied to an outdated encryption algorithm still present in some legacy systems.

The report’s findings are based on Barracuda Managed XDR’s dataset spanning more than two trillion IT events collected during 2025, including nearly 600,000 security alerts and more than 300,000 protected endpoints, firewalls, servers, cloud assets, and more. 

How MSPs can reduce ransomware risk with unified security strategies

The report also outlines practical steps that organizations and MSPs can take to reduce risk.

In particular, Barracuda said that organizations will need to implement a “unified security strategy” to counter increasingly sophisticated attacks, particularly with the advent of threat actors beginning to use agentic AI in their campaigns.

“Organizations need a unified security strategy that integrates advanced, AI-powered detection technologies with a fully autonomous SOC, complemented by user education, automated threat response and a resilient security culture,” Barracuda said in its report.

Last November, Barracuda launched Barracuda Assistant, an AI-powered tool within the BarracudaONE platform designed to speed threat response and strengthen cyber resilience. Learn more about how it can improve response times and boost security team efficiency.