Skip to Content
Get started
Open search

Sophos 2025 Annual Threat Report

Ransomware is still the most prevalent and costly cyber threat to small businesses. Here’s what you need to know. 

Cybercriminals are becoming increasingly adept at exploiting the areas security defenders aren’t looking and maneuver inside the networks while keeping the lowest profile possible. In the Sophos 2025 Annual Threat Report, we take a close look at the expanding array of threats to small and medium-sized businesses.


Download the report today to discover how attackers are evolving their social engineering tricks, utilizing methods that include vishing, email-bombing and quishing, to steal credentials and infiltrate networks and eventually deploy ransomware. 

Read the blog

Ransomware is still the No. 1 threat to SMBs 

Ransomware cases accounted for 70% of Sophos Incident Response cases for small businesses and over 90% for midsized organizations. 

The 2025 Sophos Annual Threat Report covers the methods by which threat actors try to infiltrate networks and deploy ransomware, and the various ways they try to profit off those attacks. 

In this report, you’ll discover: 

  • Which attack vectors were most prominent in 2024.
  • The main categories of malware in use and what they target.
  • Which ransomware families pose the biggest threat to small businesses.
  • The latest social engineering threats.
  • Which legitimate software utilities and tools bad actors are exploiting to gain access to confidential data.
  • Specific steps organizations need to implement to have a comprehensive, layered approach to their security strategy.

Check out these and other topics covered in the Sophos 2025 Threat Report: 

Top sources of network intrustions

Compromised network edge devices were the largest single source of network intrusions, accounting for initial compromise in 25% of MDR/IR incidents.

Business email compromise growth

Attackers are bypassing MFA through adversary-in-the-middle authentication token capture to send convincing phishing.

Living off the land

Cybercriminals are becoming increasingly adept at exploiting the areas security defenders aren’t looking and maneuver inside the networks while keeping the lowest profile possible.

Threats to VPNs 

VPNs are the single largest source of compromise, accounting for the point of initial compromise in 20% of all MDR and IR cases. 

Slight shift in ransomware 

Attackers breach a compromised, and often under-protected, endpoint to encrypt data on other devices connected to the same network. 

Other popular types of malware

The most frequently encountered malware were loaders/droppers (40%), followed by stealer/spyware (19%).

How Sophos keeps up with the latest threats 

Sophos combines machine learning, automation, and real-time threat intelligence with frontline human expertise from Sophos X-Ops to deliver advanced, 24/7 threat monitoring, detection, and response that keeps up with the latest threats. The 2025 Sophos Annual Threat Report provides key insights that help organizations and security practitioners defend against threats old and new, including ransomware groups and services designed to launch multiple malware attacks and steal information.

Read the full report

Cybersecurity Delivered

Sophos is a worldwide leader in next-generation cybersecurity and protects more than 600,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Sophos delivers a broad portfolio of advanced security services and products to protect corporations and individuals against a wide range of cyberattacks.