Ransomware in 2025: The Real Risk, the Gaps That Persist, and What Actually Works

Ransomware attacks aren’t slowing down. They’re getting smarter, faster, and more expensive. In a recent webinar, Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense Strategy Critical Start Field CISO Tim Bandos and Qualys Senior Partner Security Solutions Architect John Delaroderie broke down what ransomware really looks like in 2025 and how organizations are still getting caught off guard by the basics.

Here’s what they had to say, and what it means for your security program.

The Problem Isn’t Just Ransomware. It’s Visibility.

Most security leaders know the threats are out there. But that’s not enough. The problem is knowing where you’re exposed before attackers do.

“What we have found is that 31% of ransomware attacks started from unknown to organization assets.” – John Delaroderie

These are assets outside the (metaphorical) streetlight. Think of unsupported software, unscanned perimeter devices, or rogue cloud assets. They’re not prioritized. They’re not patched. And they’re exactly what ransomware actors exploit.

It’s Not Always a Phishing Link. Sometimes It’s Just a Missed Patch.

Ransomware entry points are rarely flashy. They’re usually fixable.

“32% of these attacks started with an unpatched vulnerability.” – Tim Bandos

This includes known CVEs in VPN software, outdated remote access tools, or common enterprise applications. In one real-world case, attackers exploited a known ESXi vulnerability and moved laterally to take over an entire environment.

“They gained that initial access to the organization through a quack bot infection. They exploited that vulnerability, they elevated their privileges, they moved laterally to domain controllers.” – Tim Bandos

Alert Fatigue Is Still a Top Risk Factor

Security teams aren’t short on tools. They’re short on clarity.

“You’re focusing on your external facing ones … those internal ones, those endpoints … all that becomes a problem that these ransomware actors are able to exploit.” – John Delaroderie

In many cases, teams miss early warning signs not because they aren’t detected, but because they’re buried in noise.

This is why detection alone is no longer enough. It’s about visibility, prioritization, and fast, expert response.

The Stakes Are Higher Than Ever

Here are the numbers no cybersecurity professional wants to hear:

• 58% of companies shut down operations after an attack, with an average downtime of 12 hours.
• $10,000 per hour is what one manufacturing site lost every hour a key server was down.
• 80% of companies that paid ransom were hit again.
• 70% of companies paid more the second time

“They paid a ransom, and they got their services back … then they were hit with the same attack on the same vulnerabilities with a higher demand.” – John Delaroderie

Defense Is an Enterprise-Wide Problem, Not Just an Endpoint Problem

There is no single tool that stops ransomware. It takes visibility across IT and OT, detection tuned to your environment, and response that cuts through the chaos.

“You can’t just focus on preventing ransomware on an endpoint like a laptop. You have to have an enterprise approach.” – John Delaroderie

Critical Start MDR is designed to deliver exactly that. With complete signal coverage, a 24×7 human-led SOC, and the MobileSOC^® app for real-time containment, our approach helps organizations respond fast and avoid repeat attacks.

What You Can Do Right Now

Both speakers agree: remediation and preparation matter more than ever.

“Don’t be the next headline … don’t have that financial loss where you’re down for days because you didn’t plan ahead.” – John Delaroderie

 “Making sure you have tabletop exercises and going through your business continuity practice … you don’t want to be testing it during a ransomware engagement.” – Tim Bandos

Ransomware in 2025 isn’t just a threat, it’s a test of how well your team can see, prioritize, and act. Most organizations already have the data. The challenge is making it actionable.

Ready to close the gaps before ransomware finds them?

Let’s talk.

See how Critical Start MDR gives you the visibility and confidence to move faster, reduce risk, and outmaneuver modern ransomware.