Sophos has released the ‘2025 Sophos Active Adversary Report.’ This report explores how attackers behave and what methods they use based on over 400 cases of Managed Detection and Response (MDR) and Incident Response (IR) from 2024. The report found that in 56% of these cases, attackers entered networks by exploiting external remote services, like firewalls and VPNs, with valid account passwords.
The combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in a row, compromised accounts were responsible for 41% of cases. The next biggest reasons were exploited vulnerabilities (21.79%) and brute force attacks (21.07%).
The Sophos X-Ops team examined ransomware cases like data theft and data extortion to see how quickly attackers acted. They found that the average time from the start of an attack to the data stolen was just under 73 hours (3.04 days). Additionally, once the data was stolen, it took only about 2.7 hours for the attack to be detected.
“Passive security is no longer enough. Organizations must closely watch their networks and respond quickly if they notice any problems. Attacks from determined adversaries require a strong defense. This often means blending knowledge about the business with expert help in detection and response,” said John Shier, field CISO.
Other Key Findings from the 2025 Sophos Active Adversary Report:
- Attackers can take control of a system in just 11 hours: On average, it took attackers 11 hours from their initial action to their first attempt at breaching Active Directory, a crucial part of any Windows network. If they succeed, they can easily gain control of the organization.
- Top Ransomware Groups in Sophos Cases: Akira was the most common ransomware group in 2024, followed by Fog and LockBit, despite a major takedown of LockBit earlier in the year. – Dwell Time is Down to Just 2 Days: Overall, the time it takes to detect attacks, known as “dwell time,” reduced from 4 days to just 2 days in 2024, mainly due to more MDR cases being included.
- Dwell Time is Down to Just 2 Days: Overall, the time it takes to detect attacks, known as “dwell time,” reduced from 4 days to just 2 days in 2024, mainly due to more MDR cases being included.
- Dwell Time in IR Cases: Dwell time remained stable at 4 days for ransomware attacks and 11.5 days for non-ransomware cases.
- Dwell Time in MDR Cases: In MDR cases, dwell time was only 3 days for ransomware and just 1 day for non-ransomware, suggesting that MDR teams can find and respond to attacks quickly.
- Ransomware Groups Work Overnight: In 2024, 83% of ransomware attacks happened outside of regular business hours.
- Remote Desktop Protocol (RDP) is Common: RDP was involved in 84% of MDR and IR cases, making it the most commonly abused Microsoft tool.
Read the full report: The 2025 Sophos Active Adversary Report on Sophos.com.
Also Read: Why A Homegrown LLM Is the Next Big Leap for India
