Batten down the hatches - ransomware attacks are increasingly targeting firewalls, experts claim

Key Takeaways

• Barracuda analysis indicates that compromised firewalls are a leading origin point for ransomware incidents.
• Some attacks leverage vulnerabilities that are more than a decade old, such as those in legacy encryption protocols.
• Network edge devices remain a major initial access vector for threat actors.

Ransomware crews are once again adjusting their aim, and this time firewalls are taking the brunt of it. A new analysis from Barracuda shows that attackers are leaning heavily on weaknesses in these devices, often exploiting issues that organizations could have resolved years ago. It is an uncomfortable reminder for security teams that the edge, for all its importance, is sometimes the most neglected part of the network.

The Barracuda Managed XDR threat analysis draws on a substantial data pool, incorporating trillions of IT events and hundreds of thousands of security alerts. That dataset pointed to a striking trend: a significant proportion of ransomware incidents in the past year were tied to firewall compromise. Sometimes it was a vulnerability, sometimes an abused account, but the pattern was consistent across the board. In many cases, vulnerabilities detected already had a known exploit publicly available, underscoring that attackers were not necessarily relying on novel techniques. They were simply taking what was easy.

Here is the thing that may surprise some teams. A frequently detected vulnerability was CVE-2013-2566, a flaw tied to outdated encryption that first surfaced more than a decade ago. Legacy appliances and older embedded systems still rely on this algorithm, which means it keeps appearing in environments that have not been fully modernized. That said, legacy debt is not a new conversation in cybersecurity, though this report gives it renewed weight.

Sophos has been sounding a similar alarm. Findings in its own annual threat report indicated that network edge devices like routers, VPN concentrators, and firewalls make up nearly 30 percent of initial access vectors in observed intrusions. Anyone who has managed these devices knows how often they are placed at the perimeter and then, slowly, fall off the patching schedule. It is not always intentional. Sometimes the maintenance window never comes, or firmware updates require downtime that administrators hesitate to schedule. Still, attackers do not pause out of courtesy.

Another angle worth noting is the broader expansion of ransomware groups themselves. Searchlight Security’s recent ransomware reporting found that active ransomware crews reached unprecedented levels, with victim growth rates surging compared to previous years. More groups mean more scanning, more automation, and more pressure on organizations whose defenses were already strained. It also means that opportunistic attacks scale more easily, and firewall vulnerabilities make for a tempting entry point.

In late 2024, security researchers highlighted that multiple generations of SonicWall firewall appliances with SSL VPN capabilities were being targeted by the Akira ransomware group. Advisories suggested that dozens of organizations were impacted. In several cases, numerous SSL VPN accounts across customer environments were compromised and used for follow-on activity. That detail illustrates a point that often gets overlooked. Attackers do not always need perfect access; sometimes a handful of valid accounts provide all the leverage necessary.

The broader question is why firewalls remain so exposed. Part of it comes down to their role as the gatekeepers of the network. If an attacker can compromise the gate, everything behind it becomes exponentially easier to reach. Another part comes from configuration sprawl. Over time, rules get added, never removed, and the device becomes a patchwork of special exceptions. Vulnerabilities in older firmware sometimes go unaddressed because administrators are unsure whether upgrading will disrupt critical services.

Some organizations have responded by wrapping additional layers of monitoring around their perimeter devices. Others are segmenting networks more aggressively to limit blast radius. Both are reasonable tactics, but neither eliminates the core dependency on properly maintained edge hardware. It is fair to ask whether the industry needs a more fundamental shift in how these devices are deployed or automated, though that is not an overnight transition.

Meanwhile, attackers continue adjusting faster than many defenders can keep up. The low hanging fruit problem will persist as long as outdated firmware, unused accounts, and forgotten configurations remain in place. The takeaway from Barracuda’s analysis is less about any one exploit and more about the consistency of the pattern. Firewall compromise has become a primary playbook item for ransomware groups because it works.

Organizations looking for where to start may not need a long search. Firewalls often sit at the top of the priority list for a reason. When these devices fall out of alignment with modern security expectations, the rest of the network becomes far easier to breach. The uptick in targeting is a reminder that attackers understand this dynamic all too well. The challenge now is ensuring that defenders treat the perimeter with the same urgency.