Release Date: April 22, 2026
New At-Bay Research Documents a 40% Surge in Ransomware Severity for Small Businesses as Attackers Shift to Industrialized, Infrastructure-Driven Campaigns
KEY NEWS HIGHLIGHTS
- VPNs accounted for 73% of all ransomware attacks in 2025, up from 38% just two years prior. Combined with RDP, 87% of all ransomware claims were triggered by these remote access tools.
- Akira ransomware dominated more than 40% of all ransomware claims, the highest concentration of a single strain At-Bay has ever recorded, with ransom demands 50% higher on average.
- Average ransom demands reached a near $1M in 2025, yet attackers walked away empty-handed 68% of the time — and when companies did pay, final payments came in 62% below initial demands.
SAN FRANCISCO, April 22, 2026: At-Bay, the InsurSec provider for the digital age, today released its 2026 InsurSec Report, revealing that ransomware has entered a new phase of infrastructure-driven exploitation. Based on an analysis of more than 6,500 claims and 100,000 policy years, the report shows that nearly 3 in 4 ransomware attacks (73%) started with a VPN in 2025, a share that nearly doubled in just two years. SonicWall was the most targeted VPN for the first time, accounting for 1 in 3 ransomware claims (27%). Akira ransomware was the primary force behind this surge, representing more than 40% of all ransomware claims — the highest concentration of a single strain At-Bay has ever recorded. The group achieved this dominance through the systematic exploitation of SonicWall appliances, which were present in 86% of Akira’s attacks. During this campaign, Akira ransom demands averaged $1.2M, outpacing other groups by 50%.
“In 2025, we saw something we’ve never seen before – one ransomware group heavily exploiting a single device type and dominating nearly half of all ransomware claims,” said Adam Tyra, Chief Information Security Officer for Customers at At-Bay. “The data suggests a decisive shift. This group didn’t select victims based on who they were. Instead, they focused on companies where their preferred tactics would have the most impact. The single biggest determinant of your ransomware risk last year wasn’t your industry, your size, or even your security budget. It was whether you operated a specific type of network appliance. This approach enabled attackers to move with industrial efficiency, rapidly exploiting victims of all sizes and across all industries.”
Other key findings from the report:
- Remote access tools drove 87% of all ransomware claims, with the average ransomware severity climbing 16% to $508K. Small businesses took the hardest hit. Companies with under $25M in revenue saw ransomware frequency jump 21% and severity surge 40% year-over-year to $422K — the steepest increase of any segment. Across all incident types, these small organizations saw a 26% increase in overall claim severity, signaling that the financial floor for cyber attacks is rising across the board.
- Having endpoint security isn’t enough. More than half (60%) of Akira’s victims had a leading Endpoint Detection & Response (EDR) solution in place and were still compromised. The only businesses that avoided full ransomware encryption had their EDR backed by 24/7 monitoring via Managed Detection & Response (MDR), making human-monitored detection the critical last line of defense against today’s ransomware.
- Beyond the initial attack, total loss severity is increasing due to secondary factors. Third-party liability saw the highest jump of any incident type, increasing 70% year-over-year as an aggressive plaintiffs’ bar drives a surge in privacy-related class action lawsuits. Simultaneously, ransomware claims involving business interruption were 3X more severe on average, with 1 in 10 victims facing operational downtime exceeding 30 days.
- Financial fraud remained the most frequent incident type, accounting for 30% of all claims, with the average amount stolen rising 16% to $285K and the single largest theft hitting $9.7M. At-Bay’s Claims team recovered $56M in stolen funds, but speed is critical. Policyholders who notified At-Bay within three days recovered funds 70% of the time, whereas those who waited more than 30 days recovered funds just 27% of the time.
- Ransom demands approached $1M on average, but most were never paid. Across all ransomware incidents, attackers walked away empty-handed 68% of the time and when companies did pay, final payments came in 62% below initial demands, saving policyholders $91M in ransoms.
“Cyber criminals are moving at unprecedented speed and scale, but resilience is possible. What consistently made the difference between a crisis and a nuisance in 2025 was detection and response technologies coupled with human-led vigilance. It’s a strong reminder as we move into the AI age, that even the best security tools still need skilled professionals to operate them,” added Tyra.
To download the full report and learn how organizations can better protect themselves from cybercrime, visit: 2026 InsurSec Report.
Additional Resources:
About At-Bay
At-Bay is the InsurSec provider for the digital age. By combining world-class technology with industry-leading insurance, At-Bay was designed from the ground up to empower businesses of every size to meet cyber risk head-on. At-Bay Insurance Services, LLC provides insurance protection and security prevention solutions to close to 40,000 businesses in the US, safeguarding up to $800B in collective business revenue, and offers coverage by non-admitted insurers for Cyber, Technology Errors & Omissions (Tech E&O), and Miscellaneous Professional Liability (MPL). As a security company, At-Bay offers proprietary security solutions including At-Bay Stance Managed Detection & Response (MDR).
Michael Lowe, Head of Marketing