Fenix24 Reports Top Breach Tactics of 2025 and Lessons Learned
Looking back across the cybersecurity landscape during 2025, it was a year of misconfigurations, technical debt, and unresolved flaws coming home to roost. Most importantly, we’ve learned that ransomware isn’t the cause of catastrophic failures. It’s a symptom.
The situation is not improving. If anything, it’s accelerating — notably for law firms across the UK. Examining ransomware and eviction cases this past year, Fenix24 has seen a consistent pattern. Organizations weren’t “broken by ransomware.” They were exposed by it. These breaches reveal what’s been fragile for years — environments operating with assumed risk whether they realize or not.
Notably, third-party risk was on full display. Many organizations learned this year their Managed Service Provider (MSP) was not fully aligned with the required security posture. This alignment can no longer be an assumption.
A vast number of Common Vulnerabilities and Exposures (CVEs) and zero days formed the basis for many initial entry vectors. However, overall security design was the systemic failure vector. Essentially, poor security design was the difference between a minor incident and a full-scale ransomware attack.
A single foothold — whether from a CVE, phishing, or one compromised system — routinely cascaded into a full systemic compromise within 24–72 hours. This shouldn’t be possible in a well-architected environment.
Worse still, many victims learned during the breach that their backups were exposed or non-functional. When recovery depended on them, those protections had already been erased by the threat actor or had quietly failed long before the incident.
A breakdown in security basics
“Let’s not place all the blame on individual vendors or products,” Fenix24 Associate Director Jeff Liford said. “Honestly, zero days are inevitable. The problem is that there’s a fundamental breakdown in security basics. I see this more tied to flat networks with excessive trust and minimal or no controls between critical systems. Additionally, identity is entirely over-relied on as a security boundary. For many law firms it’s the only boundary.”
Liford explained that we’re not losing environments because attackers are getting dramatically better. We’re losing them because the underlying architecture cannot withstand a single point of compromise without total systemic failure. This isn’t a problem confined to law firms.
“I see common security issues no matter what the size of the organization,” Liford said. “These aren’t failures because we lack the tools. It’s a failure to prioritize and resource the correct work efforts. Some environments are legitimately under-resourced, but others are resourced incorrectly. The solution is not in another tool. We need organizational and cultural commitment to security fundamentals.”
The expanding attack surface
Critical infrastructure and essential services were increasingly targeted during 2025. Attacks hit particularly vulnerable sectors, including healthcare, governments, transportation, and public utilities. It’s apparent that even non-technical organizations, such as law firms, are top targets.
Disruptions are no longer just data leaks but have shifted toward combined attacks intended to cause operational disruption, potentially impacting individual health and wellbeing, as well as reputation involving intellectual property.
The attack surface is expanding as more services migrate to the cloud, Software as a Service (SaaS), and third-party vendors. Fenix24 has seen breaches cascade into multi-organization breaches due to shared infrastructure and shared vendors. Credential theft and identity-based attacks are certainly on the upswing. Stolen credentials and insecure identity/SSO systems open the door to a range of attacks, as ransomware continues to evolve and leverage these weaknesses.
During the past year, Liford observed a variety of breach patterns over and over again. Here’s what UK law firms should watch going forward:
- Firewall management. Interfaces are more commonly exposed to the internet.
- Lack of MFA (multi-factor authentication). More broadly seen are poor password hygiene, including variations of “admin pass” and “company1234,” in addition to many shared/common credentials.
- VPNs permitting non-corporate and unmanaged devices. There is often direct access to crown jewel systems like hypervisors and backup infrastructure.
- Lack of network segmentation. User subnets can directly reach management interfaces on critical infrastructure devices and backends.
- Poor patch and vulnerability management. Fenix24 frequently encounters critical CVEs unaddressed for months, unsupported systems in production, and no defined patching cadence or accountability structure.
- Third-party vendor failures. These often involve repeated cases where MSP or vendor missteps amplified the impact of an incident. Notably, three of Fenix24’s eight largest breach engagements during 2025 were directly caused by MSP procedural failures.
- Shadow IT and lack of asset visibility during most events. Organizations can’t provide a clear picture of their own environment. Several Fenix24 engagements uncovered millions of dollars’ worth of shadow IT operating completely outside IT/security’s purview.
- Backups unmonitored, untested, and unprotected. Even when backups survived, they were often not viable for restoration. In many cases, threat actors deleted or encrypted backups entirely. Catastrophic resiliency failures were one of the most consistent patterns of the year.
Looking ahead to 2026
The rapid rise of AI-assisted tooling will dramatically accelerate threat actors’ ability to compromise poorly architected networks. UK law firms already struggling with the fundamentals will face even faster and more automated exploitation chains in 2026. Recovery-based resilience desperately needs to move to the forefront of security planning.
Credential hygiene and identity management will become even more critical (MFA, zero trust, third-party risk audits). Ransomware and extortion tactics will certainly continue to evolve. There’s always a new gang, more complex demand schemes, and targeting of non-traditional sectors.
Preparing for the day you hope never comes
“The industry has told itself “When, not if” an attack will occur for quite a long while now, but most organizations I see are still entirely focused on exterior prevention,” Liford said. “This is the wrong approach.”
The nature of CVEs and zero days means that some attacks will inevitably succeed. While you cannot prevent 100% of attacks, you can control your recoverability and response options, according to Liford.
“Solve for recovery first,” he advises. “Your ability to recover from a breach is greater than the power to resist one. By locking down your data with truly immutable backup technology, a quick and full recovery from a breach is within reach.”
Resilience, not prevention, will determine which law firms survive cyberattacks in 2026.
