The Sophos Annual Threat Report: Cybercrime on Main Street 2025

Compromised network edge devices account for a quarter of the initial compromises of businesses in cases that could be confirmed from telemetry.

Most active STAC campaigns tracked by Sophos MDR in 2024 were ransomware-related.

Use of remote ransomware increased 50 percent in 2024 over last year.

The Veeam vulnerability (CVE-2024-40711) and similar documented vulnerabilities played a role in nearly 15 percent of the cases Sophos MDR tracked involving malicious intrusions in 2024.

The use of remote ransomware increased 50 percent in 2024 over last year, and 141 percent since 2022.

Use of remote ransomware increased 141 percent since 2022.

Obsolete and unpatched hardware and software constitute an ever-growing source of security vulnerabilities.

The most frequently seen "EDR killer" in 2024 was EDRSandBlast.

Ransomware and data theft attempts accounted for nearly 30 percent of all Sophos Managed Detection and Response (MDR) tracked incidents (in which malicious activity of any sort was detected) for small and midsized businesses.

Over a third of all incidents involving intrusion into smaller organisations have systems on the network edge as the initial point of compromise.

The average price of "junk gun" ransomware obtained from an underground marketplace is $375.

EDRSandBlast variants were detected in waves of attempted ransomware attacks throughout 2024, including a dramatic peak around the US Thanksgiving holiday in November

Ransomware cases accounted for over 90 percent of Sophos Incident Response cases for midsized organisations (from 500 to 5000 employees) in 2024.