The speed of attacks is accelerating: cybercriminals take only 3 days to exfiltrate data and 11 hours to compromise Active Directory
The latest report from Sophos Active Adversary 2025 confirms a concerning trend: 63% of organizations that suffered cyberattacks in 2024 did not have multifactor authentication (MFA) enabled. This figure nearly triples the percentage recorded in 2022 (22%) and aligns with the fact that compromised credentials were the most common cause of attacks (41% of cases) for the second consecutive year.
The study, based on over 400 cases analyzed by Sophos’s incident response (IR) and managed detection and response (MDR) services, underscores how the lack of basic security measures remains a decisive factor in the success of cyberattacks.
Attacks no longer wait
The average time it takes an attacker to exfiltrate sensitive data once they gain access to a network is just 72 hours. During this same timeframe, many cases of ransomware and extortion have already occurred. Additionally, the time between the breach and detection is reduced to about 2.7 hours, highlighting how challenging it is to react once the attack has begun.
“Companies need to shift from passive security to active and coordinated defense,” warns John Shier, Field CISO at Sophos. “The combination of proactive monitoring and expert response makes a difference in the outcome of an attack.”
Other key findings from the report:
- 71% of initial accesses occur through external remote services like VPNs or exposed firewalls. Of them, 79% were due to the use of compromised credentials.
- Attackers take an average of only 11 hours to compromise Active Directory, facilitating total control of the internal network.
- The Akira ransomware group was the most active in 2024, followed by Fog and LockBit, the latter despite its partial dismantling.
- Median dwell time dropped to 2 days, thanks to the rise of MDR services, which allowed threats to be detected much earlier than traditional methods.
- 84% of ransomware attacks were executed outside the victims’ business hours, taking advantage of reduced monitoring.
- The Microsoft RDP protocol remains the most exploited by attackers, present in 84% of cases.
MFA: the forgotten defense
One of the most alarming data points from the report is that in 2024, 66% of organizations without MDR and 62% of those that did have it did not have MFA enabled. This basic configuration failure demonstrates that, even as detection tools advance, many environments are still not implementing fundamental defenses.
The lack of MFA, combined with the presence of unprotected systems, vulnerable VPNs, or unsupported devices, places many companies in a state of critical exposure. And although the use of tools like Impacket and techniques like lateral movement has increased, 47% of the analyzed environments did not have complete logs, greatly hindering investigations.
Conclusion: tools alone aren’t enough; strategy is needed
The Sophos report highlights that organizations that combine prevention, active detection, and rapid responses achieve better outcomes against increasingly sophisticated and rapid attacks. The absence of MFA and other essential measures remains a common and preventable vulnerability.
“Cybercriminals don’t sleep, and the data proves it: three days is all it takes to steal your information and encrypt your system. Cybersecurity today is not optional; it’s a matter of business survival,” concludes Shier.
The complete report, “It Takes Two: The 2025 Sophos Active Adversary Report”, can be accessed at Sophos.com.