At-Bay, a US-based InsurSec provider offering cyber insurance and risk management services, reports in its 2026 InsurSec Report that ransomware activity is increasingly shaped by the exploitation of core infrastructure.
According to At-Bay’s analysis of more than 6,500 claims and over 100,000 policy years, 73% of ransomware incidents in 2025 began with VPN compromise, a figure At-Bay notes has nearly doubled within two years.
At-Bay also reports that SonicWall appliances were the most frequently targeted VPN technology for the first time, appearing in 27% of ransomware-related claims it analysed.
At-Bay identifies the Akira ransomware group as the dominant driver of this trend, stating that it accounted for more than 40% of ransomware claims in its dataset, the highest concentration of a single strain recorded by At-Bay.
According to At-Bay, SonicWall devices were present in 86% of Akira-related attacks. At-Bay further reports that during this campaign, average ransom demands linked to Akira reached $1.2 million, around 50% higher than those associated with other groups in its findings.
Across ransomware cases more broadly, At-Bay states that remote access tools were involved in 87% of claims, while average severity increased by 16% to $508k.
At-Bay highlights that smaller organisations were disproportionately affected. According to At-Bay, businesses with under $25 million in revenue experienced a 21% increase in ransomware frequency and a 40% rise in severity year-on-year, reaching an average of $422K. At-Bay also reports that across all incident types, this segment saw a 26% increase in overall claim severity, indicating rising baseline cyber loss levels.
At-Bay’s report also notes that technical security controls alone did not consistently prevent compromise. At-Bay states that 60% of Akira victims had endpoint detection and response (EDR) solutions deployed but were still impacted.
However, At-Bay reports that organisations which avoided full encryption typically combined EDR with 24/7 managed detection and response (MDR), highlighting continuous monitoring as a key factor in limiting damage.
Beyond initial intrusion, At-Bay reports that secondary impacts contributed significantly to total losses. According to At-Bay, third-party liability claims increased by 70% year-on-year, while ransomware-related business interruption losses were on average three times higher, with 1 in 10 victims experiencing downtime exceeding 30 days.
At-Bay also reports that financial fraud remained the most common incident type, accounting for 30% of all claims in its dataset. According to At-Bay, the average stolen amount increased by 16% to $285k, with the largest single theft reaching $9.7 million . At-Bay states that its claims team recovered $56 million in stolen funds overall, and that reporting speed materially affected outcomes: organisations notifying At-Bay within three days recovered funds 70% of the time, compared with 27% for those waiting more than 30 days.
Finally, At-Bay reports that across ransomware incidents, attackers failed to secure payment in 68% of cases. Where payments were made, At-Bay notes that final settlements were on average 62% below initial ransom demands, resulting in an estimated $91M in avoided ransom payments.
“In 2025, we saw something we’ve never seen before – one ransomware group heavily exploiting a single device type and dominating nearly half of all ransomware claims,” commented Adam Tyra, Chief Information Security Officer for Customers at At-Bay.
“The data suggests a decisive shift. This group didn’t select victims based on who they were. Instead, they focused on companies where their preferred tactics would have the most impact. The single biggest determinant of your ransomware risk last year wasn’t your industry, your size, or even your security budget. It was whether you operated a specific type of network appliance. This approach enabled attackers to move with industrial efficiency, rapidly exploiting victims of all sizes and across all industries.”
“Cyber criminals are moving at unprecedented speed and scale, but resilience is possible. What consistently made the difference between a crisis and a nuisance in 2025 was detection and response technologies coupled with human-led vigilance. It’s a strong reminder as we move into the AI age, that even the best security tools still need skilled professionals to operate them,” further added Tyra.
