Author: Alexander Ivanyuk — Senior Director, Technology
The Acronis Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis Threat Research Unit (TRU) and Acronis sensors. Figures presented here were gathered in September 2025 and reflect threats that Acronis detected, as well as news stories from the public domain. This report represents a global outlook and is based on more than one million unique endpoints distributed around the world.
Incident of the month
A recently released proof-of-concept tool called EDR-Freeze shows how attackers can abuse Windows Error Reporting (WER) to quietly suspend security tools without needing a vulnerable driver. Instead of the common “bring your own vulnerable driver” tricks, this method works entirely in user mode by leveraging legitimate Windows components. It launches a protected WER process that calls MiniDumpWriteDump on a security application, which temporarily suspends all its threads. The attacker then halts the WER process before it can resume, leaving the target EDR or antivirus frozen in place indefinitely.
Researchers demonstrated the technique on Windows 11, even suspending Microsoft Defender. Because it relies on intended Windows behavior, it’s not a simple vulnerability fix. Defenders may need to monitor unusual WER activity or restrict how dumping tools interact with sensitive processes.
Importantly, while this attack can disable many EDRs, Acronis EDR is not vulnerable. Testing shows it detects and blocks the attempt, remaining fully operational and immune to this freeze technique.
September malware detections
In September, Acronis Cyber Protect blocked almost five million malware threats on endpoints.
The below tables show the percentage of Acronis clients that had at least one malware threat blocked at the endpoint, as well as the normalized percentage of clients with at least one malware detection. The higher the percentage, the higher the risk of a workload in that country being attacked by malware.
Protection
The aforementioned threats can be detected and mitigated with solutions from Acronis.
Acronis Cyber Protect Cloud protects against both known and never-before-seen threats through a multilayered protection approach. This includes behavior-based detection, AI- and ML-trained detections and anti-ransomware heuristics, which can detect and block encryption attempts and roll back any tampered files automatically without any user interaction.
Additional email security and URL filtering can help you protect against social engineering threats. And your Acronis #CyberFit Score helps you quickly identify systems that need attention, while integrated patch management makes updating your software to the latest versions simple.
Acronis XDR for Acronis Cyber Protect Cloud brings the visibility needed to understand attacks while simplifying the context for administrators and enabling efficient remediation of any threats.
