A single ransomware crew exploiting a single brand of firewall is now driving nearly half of all cyber insurance claims, At-Bay has warned, in a finding that recasts how underwriters and brokers should be thinking about risk selection.
The cyber carrier's 2026 InsurSec Report, drawn from more than 6,500 claims and 100,000 policy years, concluded that ransomware has entered an infrastructure-driven phase.
Attackers, it said, are no longer hunting by industry or company size but by the network appliances their targets happen to run.
Nearly three in four ransomware attacks, or 73%, began with a VPN in 2025 — a share that has almost doubled in two years.
SonicWall topped the list of most-targeted VPNs for the first time, linked to 27% of ransomware claims. Akira alone accounted for more than 40%, the highest concentration of a single strain on At-Bay's books, with SonicWall appliances present in 86% of its attacks.
The group's ransom demands averaged $1.2 million, half again as much as its rivals.
The SonicWall thread is well worn. The vendor disclosed CVE-2024-40766, a SonicOS access-control flaw, in August 2024, and it has since been tied to a wave of Akira intrusions.
Cybersecurity firm Arctic Wolf reported a fresh surge through mid-2025, even on patched Gen 7 firewalls – activity SonicWall later pinned largely on credential reuse from earlier compromises, rather than a new zero-day.
Adam Tyra (pictured above), At-Bay's chief information security officer for customers, said the picture was unusually stark: one group, he noted, was "heavily exploiting a single device type and dominating nearly half of all ransomware claims."
Severity is climbing, and small businesses are wearing it. Average ransomware claim severity rose 16% to $508,000, while companies under $25 million in revenue saw frequency jump 21% and severity surge 40% to $422,000.
Third-party liability severity, driven by privacy class actions, leapt 70%. Business interruption claims were three times more severe on average.
The most uncomfortable finding for buyers may be this: 60% of Akira victims had a leading endpoint detection and response tool deployed, and were breached anyway. Only firms pairing EDR with round-the-clock managed detection and response escaped full encryption.
The gap is no secret in security circles. CISA has long warned that ransomware crews routinely deploy tools built to disable EDR agents, while research outfit Lumu has flagged the technology's reliance on known signatures as a structural weakness.
At-Bay itself said in earlier commentary that more than half of cyber insurance claims over a recent two-year window could have been blunted or stopped with MDR in place.
Financial fraud, still the most common incident type at 30% of claims, saw average theft rise 16% to $285,000, with one loss hitting $9.7 million. At-Bay recovered $56 million, claw-back rates reaching 70% when notified within three days.
Ransom payments were dodged 68% of the time, and where paid, final figures came in 62% below initial demands.
