At-Bay, a U.S.-based InsurSec provider that provides cyber insurance and risk management services, reported 2026 Insurance Security Report Ransomware campaigns are increasingly affected by the exploitation of core infrastructure.
According to At-Bay’s analysis of more than 6,500 claims and more than 100,000 policy years, 73% of ransomware incidents in 2025 began with a VPN compromise, a number that At-Bay noted has nearly doubled in two years.
At-Bay also reported that for the first time, SonicWall devices were the most commonly targeted VPN technology, appearing in 27% of the ransomware-related claims it analyzed.
At-Bay identifies the Akira ransomware group as a major driver of this trend and says that this group of ransomware accounts for more than 40% of ransomware claims in its data set, which is the highest concentration recorded by At-Bay for a single strain.
According to At-Bay, SonicWall devices were involved in 86% of Akira-related attacks. At-Bay further reported that the average ransom demand associated with Akira during this campaign reached $1.2 million, approximately 50% higher than the ransom demands associated with other groups in the findings.
Among broader ransomware cases, 87% of claims involved remote access tools, while the average severity increased by 16% to $508,000, At-Bay said.
At-Bay stressed that smaller organizations were disproportionately affected. According to At-Bay, ransomware frequency increased by 21% year-over-year and severity increased by 40% year-on-year to an average of $422,000 for businesses with less than $25 million in revenue. At-Bay also reported a 26% increase in overall claims severity in this segment across all incident types, indicating rising baseline cyber loss levels.
At-Bay’s report also noted that technical security controls alone do not consistently prevent breaches. At-Bay said 60% of Akira victims deployed endpoint detection and response (EDR) solutions but were still affected.
However, At-Bay reports that organizations that avoid full encryption often combine EDR with 24/7 managed detection and response (MDR), emphasizing that continuous monitoring is a key factor in limiting damage.
At-Bay reports that in addition to the initial intrusion, secondary impacts contributed significantly to total losses. According to At-Bay, third-party liability claims are up 70% year-on-year, while ransomware-related business interruption losses are three times higher on average, with one in 10 victims experiencing downtime of more than 30 days.
At-Bay also reports that financial fraud remains the most common incident type, accounting for 30% of all claims in its data set. According to At-Bay, the average amount stolen increased by 16% to $285,000, with the largest single theft amounting to $9.7 million. At-Bay said its claims team has recovered a total of $56 million in stolen funds, and that reporting speed had a significant impact on the results: Organizations that notified At-Bay within three days recovered funds 70 percent of the time, compared with only 27 percent for organizations that waited more than 30 days.
Finally, At-Bay reports that in ransomware incidents, attackers fail to secure payment 68% of the time. At-Bay notes that when payments are made, final settlement amounts are on average 62% lower than the initial ransom demand, resulting in an estimated $91 million in avoided ransom payments.
Adam Tyra, Customer Chief Information Security Officer at At-Bay, commented: “In 2025, we are seeing something we have never seen before – one ransomware group heavily leveraging a single device type and dominating nearly half of all ransomware claims.”
“The data shows a decisive shift. The organization is not selecting victims based on their identity. Instead, they are focusing on companies where their preferred tactics will have the greatest impact. The biggest determinant of ransomware risk last year was not your industry, your size, or even your security budget. It was whether you operated a specific type of network device. This approach allowed attackers to operate with industrial efficiency, quickly exploiting victims of all sizes and across all industries.”
Tyra further added: “Cybercriminals are operating at unprecedented speed and scale, but resilience is possible. In 2025, detection and response technology combined with human-led vigilance will always be the difference between a crisis and a nuisance. As we enter the age of artificial intelligence, this is a strong reminder that even the best security tools still require skilled professionals to operate.”
