-
Cybercriminals now prioritize technology infrastructure over traditional industry-based targeting methods.
-
A 2026 report reveals that VPN vulnerabilities accounted for 73% of ransomware incidents in 2025.
-
SonicWall products faced over 27% of ransomware-related claims, with the Akira group demanding an average of $1.2 million per attack.
Ransomware operators have changed their game plan. They no longer hunt victims based solely on industry or company size. Attackers now zero in on the specific technology that keeps organizations running, especially the network appliances businesses depend on daily.
At-Bay, a California-based cyber insurance provider, just released its 2026 InsurSec Report. The findings paint a concerning picture. Threat actors increasingly target organizations running Virtual Private Networks with known security gaps.
Companies install VPNs to secure remote access, yet these same tools now serve as one of the most vulnerable entry points when organizations fail to maintain or update them properly.
VPN Exploits Dominate Ransomware Landscape
The report analyzes data from more than 6,500 insurance claims and draws insights from over 100,000 policies. The numbers tell a clear story. Nearly three out of every four ransomware incidents in 2025, approximately 73%, stemmed from attacks exploiting VPN systems. Cybercriminals have deliberately pivoted toward targeting specific technologies rather than casting wide nets for random victims.
“This represents a fundamental shift in how threat actors operate,” the report states. “Rather than scanning broadly for vulnerable organizations, attackers now conduct reconnaissance on the infrastructure itself.”
SonicWall products bore the brunt of these infrastructure-focused attacks. The firm’s VPN solutions recorded over 27% of claims associated with ransomware, positioning them as the most frequently targeted platform.
The Akira ransomware group emerged as one of the primary threat actors taking advantage of SonicWall appliances throughout the campaign.
While enterprise VPNs face scrutiny as attack vectors, consumer-focused VPNs continue to evolve. Firefox has introduced a free browser-based VPN, giving users an accessible way to protect their online privacy without the enterprise-level risks associated with poorly configured corporate VPN infrastructure.
The financial stakes have climbed dramatically. Akira operators demand an average of $1.2 million per attack, among the highest ransom figures security researchers have observed. These steep demands reflect both the growing boldness of cybercriminals and the critical nature of the systems they compromise.
Credential Reuse Fuels Successful Breaches
Arctic Wolf, a leading cybersecurity firm, identified Gen7 firewalls as among the most frequently compromised devices in these targeted campaigns. The company’s research team tracked multiple intrusion patterns across affected networks.
SonicWall addressed the findings directly. The company clarified that sophisticated zero-day vulnerabilities did not cause many of these breaches. Instead, attackers succeeded through credential reuse—a problem rooted in poor password hygiene and inadequate access controls.
“Organizations often underestimate how password reuse creates cascading vulnerabilities across their infrastructure,” security analysts noted in the report. “Attackers exploit these weak authentication practices to gain initial access, then move laterally through networks.”
The infrastructure-driven approach allows ransomware groups to scale their operations efficiently. Once attackers identify vulnerabilities in specific VPN models or firewall versions, they can scan the internet for organizations running the same technology. This method proves far more effective than traditional spray-and-pray tactics.
Defending Against Infrastructure-Targeted Attacks
The report’s findings carry important implications for organizational security strategies. Generic cybersecurity measures no longer provide adequate protection. Organizations must adopt proactive approaches to managing and securing their specific technology stacks.
Security teams should prioritize regular updates for all network appliances, particularly VPNs and firewalls. Many successful attacks exploited vulnerabilities that vendors had already patched. Companies simply failed to apply these critical updates in time.
Strong authentication practices form another essential defense layer. Organizations must eliminate credential reuse across their systems. Multi-factor authentication should become mandatory for all remote access points, not just recommended.
Continuous monitoring also plays a crucial role. Security teams need visibility into their network infrastructure to detect unusual access patterns or unauthorized configuration changes. Early detection often means the difference between a contained incident and a full-scale ransomware deployment.
The shift toward infrastructure-based targeting shows no signs of slowing. Ransomware operators have found a profitable strategy that allows them to identify and exploit victims systematically. Organizations that fail to secure their network infrastructure will continue facing elevated risks.
The At-Bay report delivers a clear message: cybersecurity teams must understand not just general threats, but the specific vulnerabilities present in their technology environments. The days of one-size-fits-all security approaches have ended. Success now requires detailed knowledge of infrastructure weaknesses and deliberate action to address them before attackers strike.
