1 in 3 Ransomware Claims Started with SonicWall in 2025 as VPN Attacks Nearly Double in Two Years

At-Bay released its 2026 InsurSec Report, revealing that ransomware has entered a new phase of infrastructure-driven exploitation. Based on an analysis of more than 6,500 claims and 100,000 policy years, the report shows that nearly 3 in 4 ransomware attacks (73%) started with a VPN in 2025, a share that nearly doubled in just two years. SonicWall was the most targeted VPN for the first time, accounting for 1 in 3 ransomware claims (27%). Akira ransomware was the primary force behind this surge, representing more than 40% of all ransomware claims — the highest concentration of a single strain At-Bay has ever recorded. The group achieved this dominance through the systematic exploitation of SonicWall appliances, which were present in 86% of Akira’s attacks. During this campaign, Akira ransom demands averaged $1.2M, outpacing other groups by 50%.

“In 2025, we saw something we’ve never seen before – one ransomware group heavily exploiting a single device type and dominating nearly half of all ransomware claims,” said Adam Tyra, Chief Information Security Officer for Customers at At-Bay. “The data suggests a decisive shift. This group didn’t select victims based on who they were. Instead, they focused on companies where their preferred tactics would have the most impact. The single biggest determinant of your ransomware risk last year wasn’t your industry, your size, or even your security budget. It was whether you operated a specific type of network appliance. This approach enabled attackers to move with industrial efficiency, rapidly exploiting victims of all sizes and across all industries.”

Other key findings from the report:

• Remote access tools drove 87% of all ransomware claims, with the average ransomware severity climbing 16% to $508K. Small businesses took the hardest hit. Companies with under $25M in revenue saw ransomware frequency jump 21% and severity surge 40% year-over-year to $422K — the steepest increase of any segment. Across all incident types, these small organizations saw a 26% increase in overall claim severity, signaling that the financial floor for cyber attacks is rising across the board.
• Having endpoint security isn’t enough. More than half (60%) of Akira’s victims had a leading Endpoint Detection & Response (EDR) solution in place and were still compromised. The only businesses that avoided full ransomware encryption had their EDR backed by 24/7 monitoring via Managed Detection & Response (MDR), making human-monitored detection the critical last line of defense against today’s ransomware.
• Beyond the initial attack, total loss severity is increasing due to secondary factors. Third-party liability saw the highest jump of any incident type, increasing 70% year-over-year as an aggressive plaintiffs’ bar drives a surge in privacy-related class action lawsuits. Simultaneously, ransomware claims involving business interruption were 3X more severe on average, with 1 in 10 victims facing operational downtime exceeding 30 days.
• Financial fraud remained the most frequent incident type, accounting for 30% of all claims, with the average amount stolen rising 16% to $285K and the single largest theft hitting $9.7M. At-Bay’s Claims team recovered $56M in stolen funds, but speed is critical. Policyholders who notified At-Bay within three days recovered funds 70% of the time, whereas those who waited more than 30 days recovered funds just 27% of the time.
• Ransom demands approached $1M on average, but most were never paid. Across all ransomware incidents, attackers walked away empty-handed 68% of the time and when companies did pay, final payments came in 62% below initial demands, saving policyholders $91M in ransoms.

“Cyber criminals are moving at unprecedented speed and scale, but resilience is possible. What consistently made the difference between a crisis and a nuisance in 2025 was detection and response technologies coupled with human-led vigilance. It’s a strong reminder as we move into the AI age, that even the best security tools still need skilled professionals to operate them,” added Tyra. 

To download the full report and learn how organizations can better protect themselves from cybercrime, visit: 2026 InsurSec Report.