Ransomware Shifts to Infrastructure: 73% of Attacks Exploit VPNs, At-Bay Reports

Executive Summary

A 2026 report from cyber insurance provider At-Bay highlights a significant evolution in ransomware tactics, with threat actors moving away from phishing and focusing on the direct exploitation of core network infrastructure. The analysis, based on thousands of insurance claims, reveals that 73% of all ransomware incidents in 2025 began with the compromise of a Virtual Private Network (VPN). The Akira ransomware group was the primary catalyst for this trend, responsible for over 40% of claims and showing a strong preference for exploiting SonicWall VPN appliances. The report underscores that traditional defenses are struggling to keep pace; 60% of Akira's victims had an Endpoint Detection and Response (EDR) solution deployed, yet were still compromised, pointing to the critical need for continuous monitoring and response capabilities.

Threat Overview

The At-Bay report signals a strategic shift in the ransomware ecosystem. Instead of relying on user interaction (e.g., clicking a malicious link), ransomware groups like Akira are adopting a more direct, infrastructure-led approach. This method is more efficient, scalable, and often bypasses user-centric security controls.

Key Findings:

• VPNs as the Primary Vector: 73% of ransomware attacks started with a VPN compromise, nearly doubling in two years.
• Akira's Dominance: The Akira ransomware group was responsible for over 40% of claims in the dataset.
• SonicWall Under Fire: SonicWall VPN appliances were the most targeted technology, present in 86% of Akira-related attacks and 27% of all ransomware incidents.
• High Ransom Demands: Akira's average ransom demand was $1.2 million, 50% higher than the average for other groups.
• Small Businesses at Risk: Businesses with under $25 million in revenue saw a 21% increase in attack frequency and a 40% rise in severity.

This data indicates that ransomware has become a game of exploiting unpatched, internet-facing infrastructure. Groups like Akira systematically scan the internet for vulnerable devices and exploit them for initial access.

Technical Analysis

Attacks targeting VPNs typically fall into two categories:

1. Exploitation of Vulnerabilities: Attackers use exploits for known CVEs in VPN appliances (like those from SonicWall, Fortinet, or Ivanti) to gain initial access. This is a highly effective method as many organizations are slow to patch these critical edge devices.
2. Credential Stuffing/Brute Force: Attackers use stolen or weak credentials to log into VPN accounts that are not protected by multi-factor authentication (MFA).

Once inside, Akira and similar groups follow a standard ransomware playbook: escalate privileges, move laterally, exfiltrate sensitive data for double extortion, and finally, deploy the ransomware payload to encrypt systems.

The report's finding that 60% of victims had EDR is significant. It suggests that attackers are either using techniques to bypass or disable EDR, or that the EDR alerts were not acted upon quickly enough. This is where the value of a 24/7 Managed Detection and Response (MDR) service becomes apparent, as it provides the human element to investigate and respond to alerts around the clock.

MITRE ATT&CK Mapping

• Initial Access: T1190 - Exploit Public-Facing Application, T1133 - External Remote Services
• Execution: T1059.001 - PowerShell
• Persistence: T1078 - Valid Accounts
• Lateral Movement: T1021.002 - SMB/Windows Admin Shares
• Exfiltration: T1041 - Exfiltration Over C2 Channel
• Impact: T1486 - Data Encrypted for Impact

Impact Assessment

The business impact of these infrastructure-led attacks is severe. The average cost for smaller businesses reached $422,000, a figure that can be existential. The shift to targeting core infrastructure means that attacks can be more disruptive, potentially taking down entire networks rather than just individual machines. The high ransom demands from groups like Akira put immense financial pressure on victims. Furthermore, the double extortion tactic of exfiltrating data before encryption adds the costs of data breach notification, credit monitoring, and reputational damage to the recovery equation.

IOCs — Directly from Articles

No specific Indicators of Compromise were provided in the report summary.

Cyber Observables — Hunting Hints

Security teams should focus on hunting for signs of VPN compromise:

Detection & Response

1. VPN Log Monitoring: Ingest VPN authentication logs into a SIEM. Create alerts for impossible travel (e.g., logins from different continents in a short time), logins outside of business hours, and brute force attempts.
2. Network Baselining: Baseline normal traffic patterns for VPN users. Alert on deviations, such as a VPN user account suddenly accessing a large number of file shares or connecting to servers they don't normally use.
3. EDR/MDR: As the report highlights, EDR is necessary but not sufficient. Alerts must be investigated 24/7. An MDR service or a well-staffed internal SOC is crucial to catch attackers in the early stages of lateral movement before they can deploy ransomware.

Mitigation

• Patch Management: Prioritize patching of all internet-facing devices, especially VPNs, firewalls, and remote access gateways. Subscribe to vendor security advisories and treat vulnerabilities in these devices as critical.
• Multi-Factor Authentication (MFA): Enforce MFA on all VPN connections. This is the single most effective control against credential-based attacks.
• Network Segmentation: Segment the network to prevent attackers who gain a foothold via VPN from immediately accessing the entire internal network. VPN users should be placed in a restricted network segment with limited access.
• Least Privilege: Grant VPN users access only to the specific resources they need to do their jobs. Avoid providing broad network access.
• EDR + MDR: Combine endpoint protection with 24/7 managed detection and response to ensure that alerts are triaged and acted upon immediately.

D3FEND Techniques:

• D3-MFA: Multi-factor Authentication: The most critical defense for VPNs.
• D3-SU: Software Update: Essential for closing the vulnerabilities that groups like Akira exploit.
• D3-NI: Network Isolation: Use network segmentation to contain the blast radius of a VPN compromise.