Ransomware economics are being rewritten at the network edge as attackers trade spearphishing for mass exploitation of VPNs and firewalls that expose thousands of identical entry points overnight. That pivot has reshaped risk selection, raised loss severity for smaller firms, and concentrated claims around the same appliances and crews—turning technical commonality into correlated market exposure.
A sweeping body of recent claims data showed ransomware entering an infrastructure-driven phase. Nearly 73% of 2025 ransomware attacks started with a VPN, almost doubling in two years. The market no longer priced risk primarily by industry or size; it followed stack and configuration, where attackers found scale and repeatability.
Market Context and Purpose
This analysis assessed how edge appliances became the dominant entry vector and why that shift mattered for pricing, capacity, and controls. The focus was not on isolated anecdotes but on patterns visible across more than six thousand cyber claims spanning broad policy exposure.
Two dynamics stood out. First, concentration accelerated: a single ransomware crew accounted for nearly half of cyber claims, with Akira alone tied to more than 40% of ransomware incidents. Second, device homogeneity amplified loss clustering, as the same weaknesses appeared across many insureds at once.
Structural Shift in Entry Vectors
Ransomware operators moved from phishing and brute-force RDP toward internet-scale scanning and automated exploitation of perimeter devices. VPNs and firewalls offered uniform interfaces, high uptime, and privileged pathways into networks, letting attackers operationalize a single technique across thousands of targets.
Brand-level targeting made that strategy even more efficient. SonicWall surfaced most often—present in 86% of Akira incidents and implicated in 27% of ransomware claims. Early campaigns linked to CVE-2024-40766; later waves leaned on credential reuse, including on patched Gen 7 devices, proving that patching without credential hygiene left material residual risk.
The implication for buyers and brokers was immediate: edge security posture, not general awareness training, now governed the probability of initial access. Patching cadence, MFA on VPNs, admin path review, and credential rotation after remediation emerged as decisive gating factors for loss frequency.
Concentration and Severity Economics
Concentration transformed severity. Akira’s average demand hovered around $1.2 million, above peers, while overall claim severity rose 16% to $508,000. Small businesses absorbed the sharpest blow, with frequency up 21% and severity up 40% to $422,000—an imbalance reflecting thinner staffing, slower detection, and fewer 24/7 responders.
Business interruption became the key driver of outsized costs. Appliance-led intrusions moved quickly into core systems, tripling average interruption losses and spiking third-party liability severity by 70%. Yet disciplined response still changed outcomes: ransom payments were avoided in 68% of cases, and when paid, settlements averaged 62% below initial demands.
Wire fraud remained the most common incident at 30% of claims, and speed mattered. Recoveries reached $56 million overall, with up to 70% claw-back when notified within three days. That timeline advantage carried over to ransomware containment, tilting negotiations and reducing restored downtime.
Underwriting and Controls Outlook
Underwriting shifted toward stack-aware, device-centric views. Rather than price by vertical, carriers scored VPN/firewall brands, versions, external exposure, and MFA status, then modeled correlated loss from appliance-specific exploits. Portfolio limits increasingly reflected the installed base of a few high-risk devices.
On the control side, EDR alone proved insufficient. Sixty percent of Akira victims had leading EDR and were still compromised. Only environments pairing EDR with 24/7 MDR—armed with containment authority and active threat hunting—consistently avoided full encryption. This aligned with known EDR evasion tradecraft and underscored the premium on outcome-centric detection.
Regulatory pressure tracked the same fault lines. Expect tighter expectations on perimeter logging, MFA, patch timelines, and incident reporting windows, with emphasis on credential resets after patching and default-hardening for appliances widely deployed in SMEs and mid-market firms.
Strategic Implications and Next Moves
The findings pointed to a market that priced and mitigated ransomware based on edge uniformity rather than sector identity. Risk leaders who prioritized MFA on VPNs, disabled weak auth, restricted split tunneling, rotated credentials after fixes, and reviewed admin access paths curtailed entry. Those who added 24/7 MDR with tested playbooks for VPN-initiated intrusions reduced dwell time and avoided encryption. For smaller organizations, subsidized MDR and MFA closed the steepest gaps. Rapid notification practices—measured in hours, not days—preserved negotiation leverage and boosted wire fraud recovery.
Taken together, the market adjusted to a more correlated threat surface, where a single crew and a single device family could sway portfolio results. The playbook for resilience had been straightforward: measure and manage the edge that attackers automate, invest in outcome-centric detection, and turn speed into savings.
