Ransomware, misconfigured devices, and social engineering dominate Sophos 2025 threat report
What if the weakest link in cybersecurity wasn’t your software—but your firewall? Sophos’ “Cybercrime on Main Street 2025” report warns that small and midsized businesses are increasingly under siege, not by cutting-edge malware alone, but by outdated hardware, poor configurations, and overlooked systems.
Ransomware Still Reigns
Ransomware remains the top threat, accounting for 70% of incidents in small businesses and 90% in midsized firms. While the overall number of attacks has slightly declined, the cost of recovery has soared. Sophos observed a 50% rise in remote ransomware, which runs from unmanaged devices—evading traditional endpoint protection tools.
Old Devices, New Entry Points
Edge devices like VPNs and firewalls were responsible for nearly a third of confirmed breaches. Vulnerabilities in tools such as Veeam and Citrix, often left unpatched, created easy access points. In some cases, even patched devices remained compromised through web shells installed earlier.
Email & MFA Attacks Evolve
Business email compromise (BEC) incidents are rising fast. Attackers now use “vishing” over Microsoft Teams and sophisticated phishing platforms like Tycoon to bypass multifactor authentication (MFA). The use of QR-code phishing or “quishing” has also surged, targeting unsuspecting employees through their smartphones.
Criminals Package Their Playbooks
Rather than acting alone, attackers now use “STACs”—shared toolkits and tactics sold in underground markets. One cluster, STAC5881, exploited the Veeam vulnerability using different ransomware variants like Akira and Frag.
AI and EDR Killers: The New Threats
Cybercriminals are slowly using AI to craft more convincing phishing messages. At the same time, tools like EDRSandBlast are targeting and disabling endpoint detection software.
What Businesses Must Do
Sophos advises switching from passwords to passkeys, enforcing MFA, patching edge devices promptly, and ensuring all systems are monitored—even those outside the traditional perimeter.
