73 Percent of Ransomware Attacks Now Start at Your VPN

Cyber insurance claims data now tells us exactly where ransomware gangs are breaking in. According to At-Bay’s 2026 InsurSec Report, 73% of ransomware attacks in 2025 began with a compromised VPN appliance, nearly double the rate from two years ago. The attackers aren’t scanning the internet at random. They’re selecting targets based on which firewall brand you run.

Ransomware Has Moved from the Inbox to the Network Edge

For years, phishing emails were the primary way ransomware reached a business. That changed fast. The At-Bay report, drawn from over 6,500 claims and 100,000 policy years of data, shows that VPN and remote access appliances have overtaken email as the number-one ransomware entry point.

The mechanics explain why. Your firewall or VPN concentrator sits on the public internet, running its own embedded operating system with its own vulnerabilities. Unlike a laptop that receives Windows updates automatically, these devices require manual firmware updates that many IT teams delay by weeks or months. Every day a critical patch goes unapplied, that appliance is visible to automated scanning tools attackers use to build target lists.

This shift changes what “good security” actually requires. Investing in email filtering and phishing training is still important, but those defenses offer no protection when the attacker’s entry point is a vulnerable firewall that hasn’t been patched in three months.

One Ransomware Gang Is Picking Targets by Firewall Brand

At-Bay’s data reveals something specific and actionable: a single ransomware group, Akira, now accounts for 40% of all SMB cyber insurance claims. That level of concentration is unusual in a ransomware ecosystem normally fragmented across dozens of competing groups. Akira has built an operation efficient enough to dominate the claims data.

The detail that should get your attention is how Akira selects its victims. According to the report, SonicWall appliances were present in 86% of Akira ransomware attacks. That figure is not a market-share artifact. SonicWall has a significant install base among small businesses, but 86% indicates deliberate, targeted exploitation of SonicWall-specific vulnerabilities.

This is what “infrastructure-led exploitation” looks like in practice. Akira doesn’t need to trick your employees into clicking a link. The group scans the internet for organizations running specific appliance firmware versions with known flaws, then exploits those flaws directly. If your SonicWall, Fortinet, or similar edge device is running outdated firmware, your organization may already be on a target list.

We published a detailed advisory on Akira’s tactics when CISA first flagged this group in 2024. The techniques described there have only scaled since then.

EDR Alone Did Not Stop These Attacks

One of the most striking findings in the report: 60% of organizations hit by Akira ransomware had endpoint detection and response (EDR) tools deployed. Those tools are widely considered a baseline security requirement. The attacks still succeeded.

The reason comes down to where EDR operates. Endpoint protection runs on your laptops, servers, and workstations. When an attacker enters through a VPN appliance, they’re already inside the network perimeter before any endpoint agent sees them. The attacker can move laterally, escalate privileges, and begin encrypting systems before the EDR platform generates an alert that anyone acts on.

Organizations that avoided full encryption had one thing in common: they paired EDR with 24/7 managed detection and response. MDR adds a human layer of security analysts monitoring alerts around the clock, investigating suspicious activity, and taking containment actions within minutes. The At-Bay data shows this combination was the dividing line between a contained breach and a six-figure encryption event.

If your organization runs EDR without someone actively monitoring and responding to alerts outside business hours, that protection has a significant gap. We described a similar pattern in our recent post on business email compromise: security tools only work when someone is watching the alerts.

The Financial Impact Hits Smaller Businesses Hardest

The overall average ransomware claim severity in 2025 reached $508,000. For companies with less than $25 million in annual revenue, the average was $422,000, a 40% increase year over year. Claim frequency for that same revenue band jumped 21%.

Those numbers deserve context. A $422,000 ransomware event at a 75-person company doing $15 million in revenue isn’t an inconvenience. It’s potentially a full quarter of annual profit, before accounting for lost productivity, customer notification costs, legal fees, and the weeks of disruption that follow.

The insurance data also contradicts a common assumption. Many business owners believe they’re too small to attract attention from ransomware operators. Automated scanning doesn’t filter by company size. It filters by firmware version. A 50-person firm running an unpatched SonicWall appliance is just as viable a target as a 5,000-person enterprise with the same vulnerability.

Five Steps to Reduce Your VPN Exposure

1. Know What’s Internet-Facing

You can’t protect infrastructure you haven’t inventoried. Have your IT team or managed security provider run an external asset scan to identify every device with a public IP address: firewalls, VPN concentrators, remote desktop gateways, and any other appliance accessible from outside your network. If something is exposed that doesn’t need to be, take it offline.

2. Patch VPN Firmware Within Days, Not Months

Firewall and VPN vendors issue security patches regularly. The window between patch release and active exploitation has collapsed to days in many cases. Treat VPN firmware patches with the same urgency as a critical Windows update. If your patching cadence for network appliances is quarterly, you’re leaving a months-wide window for attackers to walk through.

3. Require MFA for All VPN Connections

A stolen username and password should not be enough to reach your internal network. Enable multi-factor authentication on every VPN connection, using authenticator apps or hardware security keys rather than SMS codes. This single step blocks a significant percentage of credential-based attacks against remote access infrastructure.

4. Layer MDR on Top of EDR

The At-Bay data leaves little room for debate: EDR alone wasn’t enough. If your organization deploys endpoint protection but doesn’t have 24/7 monitoring and response capability, MDR closes that gap. The organizations that avoided catastrophic outcomes had analysts responding at 2 AM on a Saturday, not reviewing alerts on Monday morning.

5. Review Your Cyber Insurance Policy

Ask your broker or carrier specifically about ransomware sublimits, waiting periods, and exclusions related to VPN or remote access security. Some policies now require proof of patching cadence or MFA on remote access as conditions of coverage. Understanding those requirements before you file a claim is far better than discovering an exclusion after the damage is done.

Building a layered security program that covers both endpoints and network infrastructure is what separates companies that recover quickly from those that don’t.

What This Means Going Forward

The At-Bay report confirms what security practitioners have tracked for two years: ransomware gangs have industrialized around infrastructure vulnerabilities. The era of “click the wrong link and get encrypted” is giving way to “run the wrong firmware version and get encrypted.” Defenses have to shift accordingly.

For business owners, the takeaway is concrete. Ask your IT team or provider three questions this week: What VPN and firewall appliances are we running? When was the firmware last updated? Who is watching for suspicious activity on our network at 3 AM? If you don’t get confident answers to all three, you have work to do.