Report: Attackers Exploit Remote Services in 56% of Cases

Sophos, a global leader in innovative security solutions for countering cyberattacks, today released the 2025 Sophos Active Adversary Report, which outlines attacker behaviours and techniques from over 400 Managed Detection and Response (MDR) and Incident Response (IR) cases investigated in 2024. The report revealed that the primary method attackers used to gain initial access to networks—accounting for 56% of all cases—was through the exploitation of external remote services, such as firewalls and VPNs, by leveraging valid user credentials.

The combination of external remote services and the use of valid accounts aligns with the leading root causes of attacks. For the second consecutive year, compromised credentials were the top root cause, featuring in 41% of cases. This was followed by exploited vulnerabilities (21.79%) and brute force attacks (21.07%).

Understanding the Speed of Attacks

In analysing MDR and IR investigations, the Sophos X-Ops team focused on ransomware, data exfiltration, and data extortion cases to determine how quickly attackers advanced through the stages of an attack. For these types of cases, the median time between the initial attack and data exfiltration was just 72.98 hours (or 3.04 days). Additionally, the median time between exfiltration and detection of the attack was only 2.7 hours.

“Passive security is no longer sufficient. While prevention remains essential, rapid response is critical. Organisations must actively monitor networks and act swiftly on observed telemetry. Coordinated attacks by determined adversaries demand a coordinated defence. For many, this requires combining in-depth business knowledge with expert-led detection and response. Our report clearly shows that organisations with proactive monitoring capabilities detect threats faster and see more favourable outcomes,” stated John Shier, Field CISO.

Other Key Findings from the 2025 Sophos Active Adversary Report

Attackers can gain control of a system in just 11 hours. The median time between the attackers’ first move and their initial attempt to compromise Active Directory (AD)—a key component in most Windows environments—was only 11 hours. A successful AD breach significantly increases their ability to control the wider network.

Akira was the most prevalent ransomware group encountered in 2024, followed by Fog and LockBit, despite a multinational effort to take LockBit offline earlier in the year.

Overall dwell time—the period between the start of an attack and its detection—dropped from 4 days to just 2 in 2024, mainly due to the integration of MDR cases into the analysis.

In IR-only cases, dwell time remained consistent at 4 days for ransomware incidents and 11.5 days for non-ransomware cases.

For MDR investigations, dwell time was reduced to 3 days for ransomware attacks and just 1 day for non-ransomware cases, highlighting the effectiveness of MDR teams in detecting and responding swiftly.

Ransomware actors were active primarily outside normal working hours, with 83% of ransomware binaries dropped outside the target’s local business hours.

Remote Desktop Protocol (RDP) continued to be a primary target, featuring in 84% of MDR and IR cases. This made it the most commonly misused Microsoft utility in the dataset.

Recommendations from Sophos

To strengthen their cybersecurity posture, Sophos advises companies to take several critical actions. These include closing any exposed RDP ports and implementing phishing-resistant multifactor authentication (MFA) wherever feasible. It is also essential to patch vulnerable systems promptly, especially those that are internet-facing. In addition, organisations should deploy Endpoint Detection and Response (EDR) or MDR solutions and ensure they are actively monitored around the clock. Finally, a comprehensive incident response plan should be established and tested regularly through simulation exercises or tabletop scenarios.