60% of Akira Ransomware Victims Had EDR and Still Got Encrypted
At-Bay's 2026 InsurSec Report shows EDR alone failed against Akira ransomware. Only 24/7 MDR stopped full encryption. Here's what the claims data reveals.
Sixty percent of businesses hit by the Akira ransomware group in 2025 had a leading EDR solution deployed on their endpoints. They still got encrypted. The only organizations that escaped full encryption were those that paired EDR with 24/7 managed detection and response. This isn’t a vendor pitch. It’s what At-Bay’s 2026 InsurSec Report found by analyzing over 6,500 actual insurance claims and 100,000 policy years of real-world data.
For business owners who’ve invested in endpoint protection and assumed the problem was handled, this report is a direct challenge to that assumption. EDR is necessary, but the claims data proves it isn’t sufficient.
What At-Bay’s Insurance Claims Data Actually Shows
At-Bay is a cyber insurance carrier, not a security vendor. Their data comes from claims they paid out, not from marketing surveys or lab tests. That distinction matters because insurance claims represent attacks that succeeded, not attacks that were attempted.
The headline findings from the 2026 InsurSec Report are stark:
- Akira accounted for over 40% of all ransomware claims in 2025, making it the dominant ransomware group by a wide margin.
- 60% of Akira victims had a leading EDR product deployed at the time of the attack.
- Only businesses with EDR plus 24/7 MDR escaped full encryption. EDR alone, even from top vendors, failed to prevent the attack from completing.
- Businesses under $25M in revenue saw ransomware frequency jump 21% year over year.
- Average claim severity for SMBs surged 40% to $422,000. That’s the average payout per incident, covering ransom, recovery, business interruption, and legal costs.
According to Insurance Business Magazine’s coverage, Akira’s dominance represents a concentration of risk that has fundamentally shifted how carriers assess their exposure. One group driving nearly half of all claims means your risk profile is increasingly determined by whether your defenses can stop that specific group’s playbook.
The Detection vs. Response Gap: Why EDR Failed
EDR does exactly what it’s designed to do. It monitors process behavior on endpoints, flags suspicious activity, and generates alerts. The technology works. What failed in 60% of Akira cases wasn’t the detection. It was the response.
Here’s the sequence that plays out in most successful Akira attacks: the EDR platform detects the initial compromise and generates an alert. That alert sits in a dashboard. If it fires at 2 PM on a Tuesday, an IT team member might see it within minutes and initiate containment. If it fires at 11 PM on a Friday, or during a holiday weekend, or when the sole IT person is handling another priority, nobody acts on it until the damage is done.
Akira operators know this. Reinsurance News reported that modern ransomware groups, Akira in particular, deliberately time their attacks for periods of low staffing. They gain initial access, establish persistence, and then wait. When they execute the encryption payload, they choose moments when the gap between “alert generated” and “human responds” is widest.
An EDR platform generating alerts with no one watching is a security camera recording a robbery. The footage exists, but nobody called the police. The distinction between EDR and MDR is the 24/7 human response layer. MDR services pair the same EDR technology with a Security Operations Center staffed around the clock by analysts whose job is to investigate every alert and take immediate containment action when something is confirmed malicious.
At-Bay’s data proves this isn’t theoretical. Businesses that had the same EDR product but added 24/7 MDR monitoring stopped Akira from completing encryption. The technology was identical. The difference was whether a human being was watching and responding at the moment the attack moved from initial access to lateral movement to encryption.
How Akira Targets SMBs Through Network Appliances
Akira doesn’t pick targets by industry, geography, or brand recognition. They hunt by vulnerability. Specifically, they scan the internet for exposed network appliances (VPN concentrators, firewalls, and remote access gateways) running unpatched firmware or using compromised credentials.
This targeting methodology is why SMBs bear a disproportionate share of Akira attacks. Large enterprises typically have dedicated teams patching network equipment within days of a vulnerability disclosure. Businesses with 50 to 500 employees often rely on their IT provider to manage these appliances, and patching cadence varies widely depending on the provider’s processes.
According to At-Bay’s report, the shift toward infrastructure-led exploitation means that having a Fortinet, SonicWall, or Cisco VPN appliance exposed to the internet with a known vulnerability is effectively an open invitation. Akira’s operators aren’t sending phishing emails and hoping someone clicks. They’re running automated scans that identify vulnerable devices, confirming the device is reachable, and exploiting known CVEs to gain network access without ever touching an endpoint.
Once inside the network through a compromised appliance, the attacker already has a foothold that bypasses endpoint-level controls. They’re on the network, not on a workstation. From there, they move laterally to domain controllers and file servers. By the time the activity touches an endpoint that EDR monitors, the attacker has already mapped the network, identified backup systems, and positioned themselves to deploy encryption across multiple systems simultaneously.
This is why perimeter security and vulnerability management matter alongside endpoint protection. If your VPN appliance is running firmware with a known exploit, EDR on your laptops won’t help because the attacker never needs to touch a laptop to reach your critical servers.
What This Means for Your Cyber Insurance
Insurance carriers use claims data to set premiums and coverage requirements. When one ransomware group drives 40% or more of claims, and the data shows which controls stopped it versus which didn’t, carriers adjust their underwriting accordingly.
The practical effect is already visible. As we covered in our post on cyber insurance renewal requirements in 2026, carriers increasingly require proof of 24/7 monitoring, not just endpoint protection software. At-Bay’s report gives carriers hard evidence to justify this requirement. They can point to their own claims book and say: businesses with EDR alone had a 60% failure rate against the most active ransomware group. Businesses with EDR plus MDR had a near-zero encryption rate.
Help Net Security’s coverage of the report highlights that carriers are using this data to differentiate pricing. Organizations that can demonstrate 24/7 SOC coverage with documented response SLAs are getting better rates. Those relying solely on EDR are facing premium increases and, in some cases, ransomware coverage exclusions.
If your policy is up for renewal in the next 12 months, your carrier’s underwriting team has likely already read this report. They will ask about your monitoring coverage. The answer “we have EDR deployed” is no longer sufficient. They want to know who is watching the alerts at 2 AM.
The $422,000 average claim severity also changes the financial calculus. For a business with $15M in revenue, a single ransomware incident now represents roughly 3% of annual revenue in direct costs, before accounting for lost business, reputational damage, and the premium increase that follows a claim. Investing in 24/7 MDR looks very different when you compare it against that exposure.
Questions to Ask Your IT Provider This Week
If you’re running EDR without 24/7 managed response, you’re in the same position as 60% of Akira’s victims. These questions will help you assess your actual coverage:
1. Who responds to our EDR alerts outside business hours?
If the answer is “they queue until morning” or “we get an email notification,” you have the same gap that Akira exploits. The correct answer includes a specific team, defined response times (under 15 minutes for critical alerts), and the authority to isolate compromised endpoints without waiting for your approval.
2. When was the last time our network appliances were patched?
Ask for a specific date and firmware version on your VPN, firewall, and remote access gateways. If your provider can’t answer immediately, your patching cadence probably isn’t keeping pace with the vulnerabilities Akira exploits.
3. What’s our mean time to contain a confirmed threat?
This metric separates real MDR from checkbox compliance. Industry benchmarks for effective MDR are under 30 minutes from alert to containment. If your provider doesn’t track this metric, they probably aren’t providing true managed response.
4. Can you show us a sample alert investigation from the past month?
Ask for a real example: what triggered the alert, what the analyst did to investigate, and what action was taken. This tells you whether your provider’s SOC is actively working your environment or just forwarding vendor alerts.
5. If Akira compromised our VPN appliance tonight, what would happen?
Walk through the scenario. Would the initial access generate an alert? Who would see it? How quickly would they respond? What containment actions would they take? If your provider can’t walk through this scenario with specifics, they aren’t prepared for the most active ransomware group in the world.
These are the same questions we work through with businesses evaluating whether their current security posture matches the threat environment they actually face. The living-off-the-land attack patterns we covered previously show a similar gap between detection and response. The Akira data confirms it with insurance-grade evidence.
Need Help Closing the EDR-to-MDR Gap?
Our team can assess your current endpoint coverage, identify response gaps, and implement 24/7 managed detection that actually stops ransomware from completing.
Get a Free AssessmentWhat to Do Next
The At-Bay report eliminates the debate about whether EDR alone is enough. The claims data answered it: EDR alone fails against the most active ransomware group 60% of the time. Here’s where to start:
Audit your current monitoring coverage. Confirm whether your EDR deployment includes 24/7 human response or just software generating alerts. If alerts queue overnight, you have the same gap Akira exploits.
Check your network appliance firmware. Pull the current firmware version on every VPN, firewall, and remote access device. Cross-reference against vendor advisories published in the past 90 days. Patch anything that’s behind.
Review your insurance policy’s monitoring requirements. Check whether your carrier requires 24/7 SOC coverage for full ransomware coverage. If it does and you don’t have it, you may be paying premiums for a policy that won’t pay claims.
Get a straight answer from your IT provider. Use the five questions above. The answers will tell you whether you’re protected or whether you have the same gap that produced a $422,000 average claim last year.
If you want help evaluating your current posture or building a monitoring strategy that satisfies both the threat data and your carrier’s requirements, reach out to our team at 800-985-1365. We work with businesses across Texas and Oklahoma to close exactly this gap.