Cyberattacks have long evolved in waves, with ransomware groups historically choosing their victims based on industry type or company size. Financial institutions, healthcare providers, and large enterprises were often prime targets due to their ability to pay hefty ransoms.
However, a new trend is emerging that signals a shift in attacker strategy. Instead of focusing solely on who the victim is, cybercriminals are now paying closer attention to the technology infrastructure organizations rely on—particularly the network appliances that keep businesses connected.
A recent 2026 InsurSec Report released by At-Bay, a California-based cyber insurance provider, highlights this growing concern. According to the study, attackers are increasingly targeting organizations that use Virtual Private Networks (VPNs) with known vulnerabilities. VPNs, which are designed to secure remote access, have ironically become one of the weakest entry points when not properly maintained or updated.
The report draws on a substantial dataset, including more than 6,500 insurance claims and insights from over 100,000 policies. Its findings are striking: nearly three out of every four ransomware incidents in 2025—about 73%—were linked to attacks exploiting VPN systems. This indicates a clear and deliberate pivot by threat actors toward exploiting specific technologies rather than broadly scanning for victims.
Among the most affected products were those offered by SonicWall. The company’s VPN solutions accounted for over 27% of ransomware-related claims, placing them at the top of the list in terms of targeted platforms. A major contributor to these attacks was the ransomware group Akira, which was identified as one of the most active threat actors exploiting SonicWall appliances.
What makes this trend even more alarming is the scale of ransom demands. The Akira group, in particular, has been reported to demand an average of $1.2 million per attack—one of the highest figures observed among ransomware operators. This reflects both the increasing confidence of cybercriminals and the critical importance of the systems they are targeting.
Further insights come from cybersecurity firm Arctic Wolf, which identified that Gen7 firewalls were among the most frequently compromised devices in these campaigns. In response, SonicWall clarified that many of these breaches were not the result of sophisticated zero-day vulnerabilities, but rather due to credential reuse—an issue stemming from poor password hygiene and lack of proper access controls.
Overall, the findings underscore a critical lesson for organizations: cybersecurity is no longer just about defending against generic threats. It requires a proactive approach to managing and securing the specific technologies in use. Regular updates, strong authentication practices, and continuous monitoring are now essential to staying ahead in an increasingly targeted threat landscape.
Click Here For The Original Source.
