[{"data":1,"prerenderedAt":126},["ShallowReactive",2],{"article-slug-ransomware-trends-report-shows-shift-to-vpn-infrastructure-exploitation":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":37,"mitre_techniques":38,"mitre_mitigations":54,"d3fend_countermeasures":82,"iocs":94,"cyber_observables":95,"tags":112,"extract_datetime":116,"article_type":117,"impact_scope":118,"pub_date":124,"reading_time_minutes":125,"createdAt":116,"updatedAt":116},"62f74ab1-a764-4364-aac1-0002a5ca5ab8","ransomware-trends-report-shows-shift-to-vpn-infrastructure-exploitation","Ransomware Shifts to Infrastructure: 73% of Attacks Exploit VPNs, At-Bay Reports","Akira Ransomware Dominates as Attackers Increasingly Target VPNs and Core Infrastructure, New Report Finds","A new report from cyber insurance provider At-Bay reveals a dramatic shift in ransomware tactics, with attackers increasingly targeting core infrastructure like Virtual Private Networks (VPNs). The report, based on over 6,500 claims, found that a staggering 73% of ransomware incidents in 2025 initiated through a compromised VPN, a figure that has nearly doubled in two years. The Akira ransomware group was a major driver of this trend, accounting for over 40% of claims in At-Bay's dataset and heavily targeting SonicWall VPN appliances. The average ransom demand from Akira was $1.2 million, 50% higher than other groups. The report also highlights that smaller businesses were disproportionately affected and that technical controls like EDR alone were often insufficient, emphasizing the need for 24/7 managed detection and response (MDR).","## Executive Summary\n\nA 2026 report from cyber insurance provider **At-Bay** highlights a significant evolution in ransomware tactics, with threat actors moving away from phishing and focusing on the direct exploitation of core network infrastructure. The analysis, based on thousands of insurance claims, reveals that 73% of all ransomware incidents in 2025 began with the compromise of a Virtual Private Network (VPN). The **[Akira](https://malpedia.caad.fkie.fraunhofer.de/actor/akira)** ransomware group was the primary catalyst for this trend, responsible for over 40% of claims and showing a strong preference for exploiting **[SonicWall](https://www.sonicwall.com/)** VPN appliances. The report underscores that traditional defenses are struggling to keep pace; 60% of Akira's victims had an Endpoint Detection and Response (EDR) solution deployed, yet were still compromised, pointing to the critical need for continuous monitoring and response capabilities.\n\n---\n\n## Threat Overview\n\nThe At-Bay report signals a strategic shift in the ransomware ecosystem. Instead of relying on user interaction (e.g., clicking a malicious link), ransomware groups like **Akira** are adopting a more direct, infrastructure-led approach. This method is more efficient, scalable, and often bypasses user-centric security controls.\n\n### Key Findings:\n*   **VPNs as the Primary Vector**: 73% of ransomware attacks started with a VPN compromise, nearly doubling in two years.\n*   **Akira's Dominance**: The Akira ransomware group was responsible for over 40% of claims in the dataset.\n*   **SonicWall Under Fire**: **SonicWall** VPN appliances were the most targeted technology, present in 86% of Akira-related attacks and 27% of all ransomware incidents.\n*   **High Ransom Demands**: Akira's average ransom demand was $1.2 million, 50% higher than the average for other groups.\n*   **Small Businesses at Risk**: Businesses with under $25 million in revenue saw a 21% increase in attack frequency and a 40% rise in severity.\n\nThis data indicates that ransomware has become a game of exploiting unpatched, internet-facing infrastructure. Groups like Akira systematically scan the internet for vulnerable devices and exploit them for initial access.\n\n## Technical Analysis\n\nAttacks targeting VPNs typically fall into two categories:\n1.  **Exploitation of Vulnerabilities**: Attackers use exploits for known CVEs in VPN appliances (like those from **SonicWall**, Fortinet, or Ivanti) to gain initial access. This is a highly effective method as many organizations are slow to patch these critical edge devices.\n2.  **Credential Stuffing/Brute Force**: Attackers use stolen or weak credentials to log into VPN accounts that are not protected by multi-factor authentication (MFA).\n\nOnce inside, **Akira** and similar groups follow a standard ransomware playbook: escalate privileges, move laterally, exfiltrate sensitive data for double extortion, and finally, deploy the ransomware payload to encrypt systems.\n\nThe report's finding that 60% of victims had EDR is significant. It suggests that attackers are either using techniques to bypass or disable EDR, or that the EDR alerts were not acted upon quickly enough. This is where the value of a 24/7 Managed Detection and Response (MDR) service becomes apparent, as it provides the human element to investigate and respond to alerts around the clock.\n\n### MITRE ATT&CK Mapping\n*   **Initial Access**: [`T1190 - Exploit Public-Facing Application`](https://attack.mitre.org/techniques/T1190/), [`T1133 - External Remote Services`](https://attack.mitre.org/techniques/T1133/)\n*   **Execution**: [`T1059.001 - PowerShell`](https://attack.mitre.org/techniques/T1059/001/)\n*   **Persistence**: [`T1078 - Valid Accounts`](https://attack.mitre.org/techniques/T1078/)\n*   **Lateral Movement**: [`T1021.002 - SMB/Windows Admin Shares`](https://attack.mitre.org/techniques/T1021/002/)\n*   **Exfiltration**: [`T1041 - Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1041/)\n*   **Impact**: [`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/)\n\n## Impact Assessment\n\nThe business impact of these infrastructure-led attacks is severe. The average cost for smaller businesses reached $422,000, a figure that can be existential. The shift to targeting core infrastructure means that attacks can be more disruptive, potentially taking down entire networks rather than just individual machines. The high ransom demands from groups like **Akira** put immense financial pressure on victims. Furthermore, the double extortion tactic of exfiltrating data before encryption adds the costs of data breach notification, credit monitoring, and reputational damage to the recovery equation.\n\n## IOCs — Directly from Articles\n\nNo specific Indicators of Compromise were provided in the report summary.\n\n## Cyber Observables — Hunting Hints\n\nSecurity teams should focus on hunting for signs of VPN compromise:\n\n| Type | Value/Pattern | Context / Where to look |\n| :--- | :--- | :--- |\n| Log Source | VPN Server Logs | Look for multiple failed logins followed by a success from a single IP, successful logins from unusual countries, or multiple accounts logging in from the same IP. |\n| Network Traffic Pattern | Data flow from VPN user subnets to sensitive servers (e.g., Domain Controllers) using protocols other than what is expected (e.g., RDP, SMB). | Network flow data (NetFlow/sFlow), IDS/IPS logs. |\n| Process Name | `powershell.exe`, `psexec.exe`, `wmic.exe` | Monitor for these processes being executed by the VPN service account or on systems shortly after a VPN login. | \n| URL Pattern | `/api/ssl-vpn/` | Monitor web logs on SonicWall devices for anomalous requests or exploit attempts against the SSL-VPN portal. |\n\n## Detection & Response\n\n1.  **VPN Log Monitoring**: Ingest VPN authentication logs into a SIEM. Create alerts for impossible travel (e.g., logins from different continents in a short time), logins outside of business hours, and brute force attempts.\n2.  **Network Baselining**: Baseline normal traffic patterns for VPN users. Alert on deviations, such as a VPN user account suddenly accessing a large number of file shares or connecting to servers they don't normally use.\n3.  **EDR/MDR**: As the report highlights, EDR is necessary but not sufficient. Alerts must be investigated 24/7. An MDR service or a well-staffed internal SOC is crucial to catch attackers in the early stages of lateral movement before they can deploy ransomware.\n\n## Mitigation\n\n*   **Patch Management**: Prioritize patching of all internet-facing devices, especially VPNs, firewalls, and remote access gateways. Subscribe to vendor security advisories and treat vulnerabilities in these devices as critical.\n*   **Multi-Factor Authentication (MFA)**: Enforce MFA on all VPN connections. This is the single most effective control against credential-based attacks.\n*   **Network Segmentation**: Segment the network to prevent attackers who gain a foothold via VPN from immediately accessing the entire internal network. VPN users should be placed in a restricted network segment with limited access.\n*   **Least Privilege**: Grant VPN users access only to the specific resources they need to do their jobs. Avoid providing broad network access.\n*   **EDR + MDR**: Combine endpoint protection with 24/7 managed detection and response to ensure that alerts are triaged and acted upon immediately.\n\n**D3FEND Techniques**:\n*   [`D3-MFA: Multi-factor Authentication`](https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication): The most critical defense for VPNs.\n*   [`D3-SU: Software Update`](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate): Essential for closing the vulnerabilities that groups like Akira exploit.\n*   [`D3-NI: Network Isolation`](https://d3fend.mitre.org/technique/d3f:NetworkIsolation): Use network segmentation to contain the blast radius of a VPN compromise.","🚨 Ransomware tactics are shifting! A new report finds 73% of attacks now start with a VPN compromise. The Akira group is leading the charge, targeting SonicWall devices. MFA and patching are more critical than ever. #Ransomware #Akira #VPN","A new report from At-Bay shows a massive shift in ransomware tactics, with 73% of attacks exploiting VPNs. The Akira ransomware group is a dominant force, targeting SonicWall appliances. Learn how to defend your infrastructure.",[13,14,15],"Ransomware","Threat Intelligence","Vulnerability","high",[18,21,25],{"name":19,"type":20},"At-Bay","company",{"name":22,"type":23,"url":24},"Akira","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/akira",{"name":26,"type":27,"url":28},"SonicWall","vendor","https://www.sonicwall.com",[],[31],{"url":32,"title":33,"date":34,"friendly_name":35,"website":36},"https://www.reinsurancene.ws/ransomware-is-shifting-towards-infrastructure-led-exploitation-at-bay-reports/","Ransomware is shifting towards infrastructure-led exploitation, At-Bay reports","2026-04-22","Reinsurance News","reinsurancene.ws",[],[39,43,46,50],{"id":40,"name":41,"tactic":42},"T1190","Exploit Public-Facing Application","Initial Access",{"id":44,"name":45,"tactic":42},"T1133","External Remote Services",{"id":47,"name":48,"tactic":49},"T1021.002","SMB/Windows Admin Shares","Lateral Movement",{"id":51,"name":52,"tactic":53},"T1486","Data Encrypted for Impact","Impact",[55,64,73],{"id":56,"name":57,"d3fend_techniques":58,"description":62,"domain":63},"M1032","Multi-factor Authentication",[59],{"id":60,"name":57,"url":61},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Enforcing MFA on all VPN connections is the most critical defense against credential-based attacks.","enterprise",{"id":65,"name":66,"d3fend_techniques":67,"description":72,"domain":63},"M1051","Update Software",[68],{"id":69,"name":70,"url":71},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Aggressively patch internet-facing infrastructure like SonicWall VPNs to close known vulnerabilities.",{"id":74,"name":75,"d3fend_techniques":76,"description":81,"domain":63},"M1030","Network Segmentation",[77],{"id":78,"name":79,"url":80},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Isolate VPN user traffic into a restricted zone to limit the blast radius of a compromised session.",[83,85,88],{"technique_id":60,"technique_name":57,"url":61,"recommendation":84,"mitre_mitigation_id":56},"The At-Bay report confirms that VPNs are the primary entry point for ransomware. The single most effective countermeasure is to enforce phishing-resistant Multi-factor Authentication (MFA) on all remote access solutions, including SonicWall VPNs. This is not optional. Standard username/password combinations are insufficient against credential stuffing and other password-based attacks. Organizations should prioritize the rollout of MFA using methods like FIDO2/WebAuthn hardware tokens, which are resistant to phishing, or at a minimum, authenticator apps. This single control would have prevented a large percentage of the credential-based VPN compromises that lead to ransomware events. The implementation should be comprehensive, covering not just standard users but also administrative accounts, service accounts, and third-party contractors with VPN access.",{"technique_id":78,"technique_name":79,"url":80,"recommendation":86,"mitre_mitigation_id":87},"Assuming a VPN compromise will eventually happen, Network Isolation (or segmentation) is the next critical defense. Instead of granting VPN users broad access to the entire corporate network, their sessions should terminate in a highly restricted 'DMZ-like' zone. From this zone, firewall rules should explicitly whitelist access only to the specific servers and applications that the user role requires. All other traffic, especially broad network scanning and access to critical infrastructure like Domain Controllers or backup servers, should be denied by default. This containment strategy severely limits an attacker's ability to perform reconnaissance and move laterally after gaining an initial foothold via a compromised VPN account. It turns a potential network-wide disaster into a contained security incident.","M1035",{"technique_id":89,"technique_name":90,"url":91,"recommendation":92,"mitre_mitigation_id":93},"D3-UGLPA","User Geolocation Logon Pattern Analysis","https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis","To detect compromised VPN credentials, security teams should implement User Geolocation Logon Pattern Analysis. This involves ingesting all VPN authentication logs into a SIEM or security analytics platform and enriching them with geolocation data. The system should then build a baseline of normal login locations for each user. High-fidelity alerts should be configured for anomalies, such as: 1) 'Impossible travel,' where a user logs in from two geographically distant locations in a time frame that would be impossible to travel between. 2) Logins from countries where the organization has no employees or business operations. 3) A single IP address being used to attempt logins for multiple different user accounts. These patterns are strong indicators of credential stuffing or account sharing and should trigger an automated response, such as forcing a password reset and MFA re-enrollment.","M1040",[],[96,101,106],{"type":97,"value":98,"description":99,"context":100,"confidence":16},"log_source","VPN Authentication Logs","Critical source for detecting brute-force attacks, credential stuffing, and anomalous successful logins.","SIEM, security analytics platforms.",{"type":102,"value":103,"description":104,"context":105,"confidence":16},"network_traffic_pattern","VPN_Subnet -> Internal_Network on port 445/139","Traffic pattern indicating lateral movement using SMB from a compromised VPN session.","Firewall logs, NetFlow data, IDS/IPS alerts.",{"type":107,"value":108,"description":109,"context":110,"confidence":111},"string_pattern","akira","The name of the ransomware group, which may appear in ransom notes, file extensions, or process names.","File integrity monitoring, EDR process monitoring, keyword searches on endpoints.","medium",[13,22,113,26,114,115],"VPN","Threat Report","Cyber Insurance","2026-04-23T15:00:00.000Z","Analysis",{"geographic_scope":119,"industries_affected":120,"other_affected":122},"global",[121],"Other",[123],"Small businesses (under $25M revenue) were disproportionately affected.","2026-04-23",5,1776956883024]