Sophos’ 2025 Active Adversary Report shows attackers are breaching systems faster than ever, with valid credentials and remote services being the most common entry points. Ransomware dwell time has dropped to just 2 days, highlighting the need for proactive monitoring and rapid response.
MALAYSIA, 9 APRIL 2025 – Sophos, a global leader in cyber security solutions, has released its 2025 Active Adversary Report, revealing that attackers are infiltrating networks faster and more efficiently than ever before. Based on over 400 Managed Detection and Response (MDR) and Incident Response (IR) cases throughout 2024, the report paints a stark picture of modern cyber threats.
The analysis found that 56% of attacks began with the exploitation of external remote services such as firewalls and VPNs, often using valid credentials to gain unauthorized access. This method, coupled with compromised credentials – the top root cause in 41% of all cases – continues to be a primary enabler of successful breaches. Vulnerability exploits (21.79%) and brute-force attacks (21.07%) were also key contributors.
One of the most striking findings is the speed of cyberattacks. In cases involving ransomware, data exfiltration, and data extortion, the median time from breach to data exfiltration was only 72.98 hours (approximately 3 days). Alarmingly, most ransomware binaries were deployed outside normal business hours, with 83% occurring overnight, exploiting weak points in off-hours security.
Sophos also reported that attackers typically attempted to breach Active Directory (AD) within just 11 hours of initial access—an aggressive tactic that, if successful, could grant attackers full control over organizational systems.
In terms of attacker visibility, the report shows a marked improvement in dwell time reduction. For MDR cases, ransomware was detected within 3 days, and non-ransomware attacks were discovered in as little as 1 day. Across all cases, average dwell time has halved from 4 days to just 2, largely due to the increased adoption of 24/7 threat monitoring services.
Ransomware groups such as Akira, Fog, and LockBit were among the most prevalent actors in 2024, despite high-profile law enforcement efforts to disrupt operations.
To combat these increasingly fast and coordinated threats, Sophos recommends immediate steps for businesses, including:
- Closing exposed RDP ports
- Implementing phishing-resistant multifactor authentication (MFA)
- Timely patching of internet-facing systems
- Deploying and monitoring Endpoint Detection and Response (EDR) or MDR solutions
- Conducting regular incident response simulations
The report ultimately underscores a critical message: passive cybersecurity is no longer viable. Organizations must adopt proactive defense strategies to keep pace with the evolving threat landscape.
