Organizations using Cisco or Citrix VPN devices were 6.8 times more likely to suffer a ransomware attack between January 2024 and March 2025, per At-Bay’s 2025 *InsurSec Report*. The report, based on 100,000+ policy years of cyber claims data, highlights that 80% of ransomware attacks on insured firms began via remote access tools, with 83% of those cases exploiting VPN devices. The complexity of on-premise VPN appliances combining firewall, router, and proxy functions created expanded attack surfaces, leading to missed patches, outdated configurations, and successful breaches. Attackers leveraged these vulnerabilities to encrypt critical data, disrupt operations, and demand ransoms, with some cases involving Akira ransomware (which saw a 300% surge in Q3 2025 via compromised SonicWall devices). While no specific financial losses or data types were detailed, the systemic exploitation of VPN flaws resulted in operational outages, financial demands, and potential exposure of sensitive corporate or customer data, aligning with patterns where ransomware threatens organizational continuity.
Source: https://www.theregister.com/2025/10/28/cisco_citrix_vpn_ransomware/
TPRM report: https://www.rankiteo.com/company/at-bay
"id": "at-4162641102925",
"linkid": "at-bay",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Primarily US (At-Bay’s customer base)',
'name': 'Unspecified organizations using Cisco VPN',
'type': ['enterprise', 'SMB']},
{'location': 'Primarily US',
'name': 'Unspecified organizations using Citrix VPN',
'type': ['enterprise', 'SMB']},
{'location': 'Primarily US',
'name': 'Unspecified organizations using SonicWall VPN',
'type': ['enterprise', 'SMB']},
{'customers_affected': '<5% (cloud backup breach)',
'industry': 'cybersecurity',
'location': 'Global',
'name': 'SonicWall (vendor)',
'type': 'vendor'}],
'attack_vector': ['exploit of VPN vulnerabilities (e.g., CVE-2024-40766)',
'weak credentials',
'misconfigured VPN appliances',
'lack of MFA/EDR',
'remote access tool abuse'],
'customer_advisories': ['Cisco and Citrix users advised to audit VPN '
'configurations.',
'SonicWall customers warned of Akira ransomware '
'targeting unpatched devices.'],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Likely (Akira ransomware modus '
'operandi)'},
'date_detected': '2024-01-01',
'date_publicly_disclosed': '2025-04-01',
'description': 'Organizations using Cisco and Citrix VPN devices were 6.8 '
'times more likely to suffer ransomware attacks between '
'January 2024 and March 2025, according to At-Bay’s 2025 '
'InsurSec Report. The report highlights that 80% of ransomware '
'attacks on insured companies began with remote access tools, '
'with 83% involving VPN devices. Complexity, missed patches, '
'and outdated configurations in on-premise VPN appliances '
'(including Cisco, Citrix, SonicWall, Palo Alto, and Fortinet) '
'were cited as key risk factors. SonicWall devices saw a 300% '
'increase in Akira ransomware attacks in Q3 2025, linked to '
'weak credentials, lack of updates, and misconfigurations '
'(e.g., CVE-2024-40766). At-Bay recommends transitioning to '
'cloud-based SASE solutions or ensuring rigorous maintenance '
'for on-premise systems.',
'impact': {'brand_reputation_impact': 'potential reputational damage for '
'affected organizations and VPN vendors',
'operational_impact': 'increased ransomware claims (6.8X for '
'Cisco/Citrix, 5.8X for SonicWall, etc.)',
'systems_affected': ['Cisco VPN appliances',
'Citrix VPN appliances',
'SonicWall VPN/firewall devices',
'Palo Alto GlobalProtect VPN',
'Fortinet VPN']},
'initial_access_broker': {'backdoors_established': 'Likely (Akira’s '
'post-exploitation '
'tactics)',
'data_sold_on_dark_web': 'Possible (stolen VPN '
'credentials/configs)',
'entry_point': ['VPN appliances (Cisco, Citrix, '
'SonicWall)',
'compromised credentials',
'unpatched vulnerabilities (e.g., '
'CVE-2024-40766)'],
'high_value_targets': ['configuration backups '
'(SonicWall breach)',
'internal network access via '
'VPN']},
'investigation_status': 'Ongoing (At-Bay analysis; SonicWall breach '
'investigation unresolved)',
'lessons_learned': ['On-premise VPN appliances (Cisco, Citrix, SonicWall) are '
'high-risk due to complexity and maintenance challenges.',
'80% of ransomware attacks start with remote access '
'tools, with VPNs being the dominant vector (83%).',
'Cloud-based SASE solutions significantly reduce attack '
'surface compared to traditional VPNs.',
'Continuous maintenance, patching, and configuration '
'management are critical for on-premise systems.',
'Vendor breaches (e.g., SonicWall’s cloud backup '
'incident) can indirectly amplify attack risks.'],
'motivation': 'financial gain (ransomware demands)',
'post_incident_analysis': {'corrective_actions': ['Migrate to SASE/zero-trust '
'models.',
'Automate patch deployment '
'for VPN devices.',
'Enforce least-privilege '
'access and network '
'segmentation.',
'Monitor for anomalous VPN '
'traffic (e.g., At-Bay’s '
'MDR services).',
'Audit third-party vendor '
'security (e.g., '
'SonicWall’s incident '
'response).'],
'root_causes': ['Complexity of on-premise VPN '
'appliances leading to '
'misconfigurations.',
'Delayed patching (e.g., SonicWall '
'CVE-2024-40766).',
'Lack of MFA/EDR on remote access '
'tools.',
'Vendor breaches exposing backup '
'configurations (SonicWall).',
'Over-reliance on legacy VPN '
'architectures.']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Likely (double extortion tactic)',
'ransom_demanded': '$958,000 (average for Akira attacks in Q3 '
'2025, +104% increase)',
'ransomware_strain': ['Akira', 'Fog']},
'recommendations': ['Transition from on-premise VPNs to cloud-based SASE or '
'zero-trust solutions.',
'Implement rigorous patch management and automatic '
'updates for VPN appliances.',
'Enforce MFA and EDR coverage for all remote access '
'tools.',
'Segment networks to limit lateral movement from '
'compromised VPNs.',
'Monitor dark web for leaked VPN '
'credentials/configurations.',
'Evaluate vendor security postures (e.g., SonicWall’s '
'breach history).'],
'references': [{'date_accessed': '2025-04-01',
'source': 'At-Bay 2025 InsurSec Report',
'url': 'https://www.at-bay.com/insursec-report-2025'},
{'date_accessed': '2025-04-01',
'source': 'The Register: ‘Cisco, Citrix VPN users 6.8x more '
'likely to suffer ransomware’',
'url': 'https://www.theregister.com/2025/04/01/cisco_citrix_vpn_ransomware_risk/'},
{'date_accessed': '2024-08-01',
'source': 'SonicWall Security Advisory for CVE-2024-40766',
'url': 'https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015'}],
'response': {'communication_strategy': ['At-Bay’s 2025 InsurSec Report',
'media statements by At-Bay CISO Adam '
'Tyra'],
'containment_measures': ['patching vulnerabilities (e.g., '
'CVE-2024-40766)',
'disabling compromised VPN appliances'],
'enhanced_monitoring': 'Recommended for on-premise VPN users',
'incident_response_plan_activated': 'Yes (by At-Bay for insured '
'clients)',
'remediation_measures': ['transition to cloud-based SASE '
'solutions',
'enhanced MFA/EDR coverage',
'automatic updates'],
'third_party_assistance': ['At-Bay’s managed detection and '
'response teams']},
'stakeholder_advisories': ['At-Bay recommends cloud migration for VPN users.',
'SonicWall urges customers to patch CVE-2024-40766 '
'and review backup configurations.'],
'threat_actor': ['Akira ransomware group',
'Fog ransomware group',
'unspecified affiliates'],
'title': 'Elevated Ransomware Risk for Organizations Using Cisco, Citrix, and '
'SonicWall VPN Devices (2024–2025)',
'type': ['ransomware', 'unauthorized access', 'vulnerability exploitation'],
'vulnerability_exploited': ['CVE-2024-40766 (SonicWall SSLVPN improper access '
'control)',
'unpatched VPN appliances',
'outdated configurations',
'compromised backup configurations (SonicWall '
'cloud breach)']}