Which VPN brands are most targeted by ransomware in 2026?

Fortinet FortiGate, Cisco ASA, SonicWall SMA, and Ivanti Connect Secure are the most targeted VPN products. These four vendors account for the majority of VPN-related ransomware intrusions because of their widespread deployment in small and mid-sized businesses and the severity of recent vulnerabilities. Keeping firmware current and enforcing MFA are the two most effective defenses regardless of vendor.

How do ransomware groups get into VPNs?

Ransomware groups compromise VPNs through two primary methods: exploiting unpatched vulnerabilities in VPN appliance firmware (allowing remote code execution without credentials) and using stolen VPN credentials obtained from phishing, infostealer malware, or dark web markets. Organizations running VPNs without multi-factor authentication are particularly vulnerable to credential-based attacks.

Should we replace our VPN with Zero Trust?

Zero Trust Network Access (ZTNA) significantly reduces the risk of VPN-based ransomware attacks by granting access to specific applications rather than the entire network. However, migration should be planned — not rushed. In the short term, patching your VPN, enforcing MFA, and implementing network segmentation provide immediate protection. Work with a security provider to plan a phased ZTNA migration.

What should we do if we think our VPN has been compromised?

Immediately isolate the VPN appliance from the network, preserve logs for forensic analysis, and engage your incident response provider or managed IT partner . Do not reboot or wipe the appliance — this destroys evidence. Check for unauthorized accounts, review recent VPN login activity for anomalies, and scan all connected systems for indicators of compromise. Time is critical — the average ransomware deployment after VPN compromise is 48 hours.

How often should VPN firmware be updated?

VPN firmware should be updated within 48 hours when a critical security vulnerability is disclosed, especially if it appears in CISA's Known Exploited Vulnerabilities catalog. For routine updates, monthly patching during maintenance windows is appropriate. End-of-life appliances that no longer receive security updates should be replaced immediately — they represent permanent, unfixable risk.

VPN Ransomware Attacks in 2026: Qilin, Akira & Play Are Exploiting Your Remote Access

Your VPN Is Under Siege: The 2026 Ransomware Landscape

Virtual Private Networks have been the backbone of remote access for decades. In 2026, they are also the single most exploited entry point for ransomware operators. According to CISA's Known Exploited Vulnerabilities catalog, VPN and edge-device flaws now account for more than 30% of all actively exploited vulnerabilities — a figure that has doubled since 2023.

Three ransomware groups have built their entire playbooks around VPN compromise:

Qilin — A sophisticated ransomware-as-a-service (RaaS) operation targeting healthcare, education, and professional services through Fortinet and Citrix VPN exploits.

Akira — A prolific group responsible for over $42 million in confirmed ransom payments, primarily exploiting Cisco ASA and SonicWall VPN appliances.

Play (PlayCrypt) — A rapidly growing operation that chains VPN vulnerabilities with Active Directory attacks to achieve full domain compromise in hours.

These are not theoretical risks. In Q1 2026 alone, these three groups collectively claimed responsibility for over 200 confirmed attacks on businesses with fewer than 1,000 employees. The common thread in nearly every case: an unpatched VPN appliance or a stolen VPN credential without multi-factor authentication.

Qilin Ransomware: The Healthcare and Professional Services Predator

Origin and Evolution

Qilin (also written as "Quilin" in some threat reports) first surfaced in mid-2022 as a ransomware-as-a-service operation. The group recruits affiliates through dark web forums, offering a 80/20 revenue split on ransom payments — among the most generous in the RaaS ecosystem. Written in Rust and Go, Qilin's malware is cross-platform, capable of encrypting Windows, Linux, and VMware ESXi environments simultaneously.

By 2025, Qilin had evolved from an opportunistic operator into one of the most targeted ransomware groups in the world. Their June 2024 attack on Synnovis — a pathology services provider to major London hospitals — disrupted over 3,000 medical appointments and forced hospitals to cancel critical procedures. The attack demonstrated Qilin's willingness to target organizations where downtime has life-or-death consequences.

How Qilin Exploits VPNs

Qilin affiliates primarily gain initial access through:

Compromised VPN credentials — Harvested through phishing campaigns, infostealer malware, or purchased from initial access brokers (IABs) on dark web marketplaces. Qilin specifically targets organizations running VPNs without MFA enabled.
Fortinet FortiGate exploitation — Qilin affiliates have been observed exploiting CVE-2023-27997 (FortiOS heap buffer overflow, CVSS 9.2) and CVE-2024-21762 (FortiOS out-of-bound write, CVSS 9.6) to achieve remote code execution on VPN appliances without credentials.
Citrix NetScaler (Citrix Bleed) — The group exploited CVE-2023-4966 to hijack authenticated VPN sessions, bypassing MFA entirely by stealing session tokens.
Credential harvesting at scale — In the Synnovis attack, Qilin deployed a custom script that harvested Google Chrome credentials stored on every endpoint in the domain — a technique that turned a single breach into a supply-chain threat across connected organizations.

Post-Exploitation Tactics

Once inside the network, Qilin follows a predictable but devastating pattern:

Lateral movement using stolen credentials and tools like Cobalt Strike and Mimikatz
Data exfiltration before encryption — Qilin operates a double-extortion model, publishing stolen data on their leak site if ransom is not paid
Targeting VMware ESXi hypervisors to maximize damage — encrypting virtual machines takes down entire server infrastructure in minutes
Disabling backups and shadow copies before deploying the ransomware payload
Ransom demands ranging from $50,000 for small businesses to $50 million for large enterprises

Industries Most Targeted by Qilin

Healthcare and pathology services
Legal and professional services firms
Education institutions
Government agencies and courts (Lee County, FL clerk of courts was hit in 2024)
Manufacturing and automotive (Yanfeng International, a major automotive parts supplier)

Akira Ransomware: The $42 Million VPN Exploit Machine

Origin and Evolution

Akira emerged in March 2023 and immediately distinguished itself through the sheer speed and volume of attacks. Within its first year, Akira compromised over 250 organizations and collected approximately $42 million in ransom payments — a figure confirmed by the FBI and CISA joint advisory (AA24-109A) published in April 2024. The group has strong technical overlaps with the defunct Conti ransomware operation, suggesting that Akira was built by former Conti developers who regrouped after Conti's internal communications were leaked in 2022.

Akira operates a retro-themed dark web portal (styled after 1980s green-screen terminals) where victims negotiate payments and where stolen data is published for non-paying targets.

How Akira Exploits VPNs

Akira has built its attack playbook almost entirely around VPN compromise. Their primary entry vectors include:

Cisco ASA and FTD VPN exploitation — Akira is the most prolific exploiter of Cisco VPN vulnerabilities in the wild. They target CVE-2023-20269 (brute-force vulnerability in Cisco ASA/FTD VPN) to gain initial access through credential stuffing attacks against VPN endpoints without MFA.
SonicWall SMA and SSL-VPN exploitation — Akira affiliates exploit CVE-2024-40766 (SonicWall SMA improper access control, CVSS 9.3) and older SonicWall SSLVPN vulnerabilities to bypass authentication entirely.
Stolen VPN credentials without MFA — A significant portion of Akira intrusions begin with valid VPN credentials obtained from infostealer logs or dark web credential markets. Organizations running single-factor VPN authentication are primary targets.
Ivanti Connect Secure exploitation — In late 2024 and into 2025, Akira was observed exploiting CVE-2024-21887 (Ivanti Connect Secure command injection) chained with authentication bypass vulnerabilities to gain shell access on VPN appliances.

Post-Exploitation Tactics

Uses legitimate remote management tools (AnyDesk, RustDesk, RDP) to maintain persistence — making detection harder since these tools are often whitelisted
Deploys both Windows and Linux encryptors — the Linux variant specifically targets VMware ESXi virtual machines
Exfiltrates data using WinSCP, FileZilla, or cloud storage services before encryption
Disables EDR and security tools using Bring Your Own Vulnerable Driver (BYOVD) techniques
Average dwell time of 3-7 days — fast enough to avoid detection but long enough to map the entire network
Ransom demands typically range from $200,000 to $4 million, with payment exclusively in Bitcoin

Notable Akira Attacks

Stanford University (2023) — 430 GB of data stolen via compromised VPN credentials
Nissan Australia (2023) — 100 GB of corporate and customer data exfiltrated
Multiple US municipal governments, school districts, and healthcare providers throughout 2024-2025
Over 30 confirmed attacks on small and mid-sized businesses in California alone in 2025

Play Ransomware (PlayCrypt): The Domain Takeover Specialists

Origin and Evolution

Play ransomware (also known as PlayCrypt) emerged in June 2022 and has rapidly climbed to become one of the top five most active ransomware operations globally. The group was the subject of a joint CISA/FBI advisory (AA23-352A) in December 2023 after compromising approximately 300 organizations worldwide. By Q1 2026, that number has more than tripled.

Play's distinguishing characteristic is speed. While most ransomware operators spend days mapping a network, Play has demonstrated the ability to go from VPN compromise to full domain encryption in under 6 hours. They achieve this through highly automated toolchains and a deep understanding of Active Directory attack paths.

How Play Exploits VPNs

Fortinet FortiOS exploitation — Play operators are among the most aggressive exploiters of Fortinet VPN vulnerabilities, specifically CVE-2018-13379 (FortiOS path traversal — still being exploited in 2026 despite being patched in 2019), CVE-2020-12812 (improper authentication), and CVE-2024-21762 (out-of-bound write).
Cisco ASA VPN targeting — Play shares Akira's appetite for Cisco ASA vulnerabilities, using CVE-2023-20269 for brute-force attacks against VPN login portals.
Microsoft Exchange + VPN chaining — Play frequently combines VPN access with ProxyNotShell (CVE-2022-41082) Exchange vulnerabilities to escalate privileges rapidly. VPN gets them inside the perimeter; Exchange gives them domain admin.
RDP exposure through VPN access — Once inside via VPN, Play immediately scans for internal RDP services and uses credential-stuffing to pivot across the network.

Post-Exploitation Tactics

Uses custom tools including Grixba (network scanner) and VSS Copying Tool to enumerate and steal Volume Shadow Copies
Deploys AdFind and Bloodhound for Active Directory reconnaissance — mapping the fastest path to Domain Admin
Uses intermittent encryption (encrypting only portions of each file) to dramatically speed up the encryption process while still rendering files unrecoverable
Splits stolen data into RAR archive segments for exfiltration, often using cloud storage services
Double extortion with data published on their Tor leak site
Contact exclusively via email — no negotiation portals like other groups

Notable Play Attacks

City of Oakland, California (2023) — Declared a state of emergency; city services disrupted for weeks
Arnold Clark (UK's largest car dealership group) — Customer PII and financial data stolen
Rackspace (2022) — Hosted Exchange environment compromised, affecting thousands of customers
Multiple law firms, accounting practices, and MSPs targeted throughout 2024-2026

The VPN Vulnerabilities These Groups Are Exploiting Right Now

All three groups share a common target list of VPN vulnerabilities. If your organization uses any of these products and has not verified patching, you are at elevated risk.

Fortinet FortiGate / FortiOS

CVE-2024-21762 — Out-of-bound write (CVSS 9.6). Remote code execution. Exploited by Qilin and Play.
CVE-2023-27997 — Heap buffer overflow (CVSS 9.2). Pre-authentication RCE. Exploited by Qilin.
CVE-2024-47575 — FortiManager "FortiJump" (CVSS 9.8). Missing authentication for critical function. Used to pivot from FortiManager to managed FortiGate devices.
CVE-2018-13379 — Path traversal (CVSS 9.8). Still being exploited in 2026 despite being patched 7 years ago. Exploited by Play.

Cisco ASA / Firepower Threat Defense (FTD)

CVE-2023-20269 — Brute-force vulnerability in VPN services (CVSS 5.0, but massively exploited). Allows credential stuffing without lockout. Exploited by Akira and Play.
CVE-2024-20359 — Persistent local code execution on ASA. Used by nation-state group ArcaneDoor and subsequently adopted by ransomware operators.

SonicWall SMA / SSL-VPN

CVE-2024-40766 — Improper access control in SonicOS (CVSS 9.3). Exploited by Akira.
CVE-2024-53704 — SSL-VPN authentication bypass (CVSS 9.8). Allows session hijacking. Targeted actively in early 2025.

Ivanti Connect Secure (formerly Pulse Secure)

CVE-2024-21887 — Command injection (CVSS 9.1). Often chained with CVE-2023-46805 (authentication bypass) for unauthenticated RCE. Exploited by Akira.
CVE-2025-0282 — Stack-based buffer overflow (CVSS 9.0). Zero-day exploited in January 2025 before patches were available.

Palo Alto Networks GlobalProtect

CVE-2024-3400 — PAN-OS command injection (CVSS 10.0). Unauthenticated RCE on GlobalProtect VPN. Widely exploited before patch.

Why VPNs Are the Perfect Target for Ransomware Groups

VPN appliances sit at the exact intersection of factors that ransomware operators crave:

Internet-facing by design — VPN endpoints must be publicly accessible to function. Unlike internal servers, they are reachable by anyone on the internet, including attackers running automated vulnerability scanners 24/7.
Full network access on compromise — A compromised VPN grants the attacker the same network access as a legitimate remote employee — often with broad access to file servers, Active Directory, backup systems, and cloud services.
Patching is delayed or skipped — Many organizations treat VPN appliances as "set and forget" infrastructure. Patching requires maintenance windows, firmware downloads, and often a reboot that disconnects remote workers. This leads to delays measured in months, not days.
Legacy devices run indefinitely — End-of-life VPN appliances that no longer receive security updates are shockingly common in SMB environments. These devices have known, unpatched vulnerabilities that will never be fixed.
MFA is not enforced — A 2025 Rapid7 analysis found that over 40% of VPN-related compromises involved accounts without multi-factor authentication. Single-factor VPN is functionally an open door.
Limited visibility — Many VPN appliances generate minimal logging by default. Without proper SIEM integration, brute-force attempts and unauthorized logins go unnoticed until ransomware is deployed.
Credential reuse is rampant — When VPN credentials match corporate email passwords (which they often do), a single phished password gives attackers VPN access. Infostealer malware like Raccoon, RedLine, and Lumma harvest VPN credentials at industrial scale from compromised personal devices.

Is Your VPN Putting Your Business at Risk?

Most businesses do not know if their VPN is patched, properly configured, or exposed to these attacks.

BRITECITY offers a complimentary VPN security assessment that checks your appliance firmware versions, MFA enforcement, logging configuration, and exposure to the specific CVEs targeted by Qilin, Akira, and Play.

Schedule a Call View Security Services

Anatomy of a VPN Ransomware Attack: From Breach to Encryption in 48 Hours

Understanding the attack timeline helps clarify why speed of detection matters. Here is how a typical VPN-initiated ransomware attack unfolds:

Hour 0: Initial Access

Attacker exploits unpatched VPN vulnerability or uses stolen credentials
Establishes foothold on the VPN appliance or an internal system via VPN tunnel
Deploys persistence mechanisms (web shells, scheduled tasks, legitimate remote access tools)

Hours 1-6: Reconnaissance

Maps Active Directory with tools like BloodHound, AdFind, or SharpHound
Identifies domain administrators, file servers, backup systems, and cloud services
Harvests additional credentials using Mimikatz, LaZagne, or LSASS memory dumps
Enumerates security tools (EDR, AV) to plan evasion strategy

Hours 6-24: Lateral Movement and Data Exfiltration

Moves laterally via RDP, SMB, WMI, or PsExec using harvested credentials
Accesses file servers, databases, email archives, and financial systems
Stages sensitive data for exfiltration — client records, financial data, intellectual property, employee PII
Exfiltrates data to attacker-controlled infrastructure via encrypted channels

Hours 24-48: Ransomware Deployment

Disables or uninstalls EDR/antivirus using BYOVD techniques or admin privileges
Deletes Volume Shadow Copies and disables Windows Recovery
Targets backup infrastructure — Veeam servers, NAS devices, cloud backup agents
Deploys ransomware across all accessible systems simultaneously via Group Policy or PsExec
Ransom note appears. Clock starts on data publication threat.

How to Defend Your Business Against VPN Ransomware Attacks

The good news: every one of these attacks is preventable. The controls below address the specific techniques used by Qilin, Akira, and Play.

1. Patch VPN Appliances Within 48 Hours of Critical CVE Disclosure

Subscribe to vendor security advisories (Fortinet PSIRT, Cisco PSIRT, SonicWall Security Center, Ivanti Security Advisories)
Monitor CISA's KEV catalog — if a VPN CVE appears here, treat it as emergency patching
Maintain current firmware on all edge devices — no exceptions
Replace end-of-life appliances immediately — they will never receive patches for new vulnerabilities

2. Enforce Multi-Factor Authentication on All VPN Connections

MFA blocks the vast majority of credential-based attacks used by all three groups
Use phishing-resistant MFA (FIDO2 hardware keys or authenticator apps) — SMS-based MFA can be bypassed via SIM swapping
Apply MFA to 100% of VPN accounts with zero exceptions — a single account without MFA is all an attacker needs

3. Implement Zero Trust Network Access (ZTNA)

Traditional VPNs grant broad network access — ZTNA grants access only to specific applications based on user identity, device health, and context
Even if credentials are compromised, ZTNA limits the blast radius by preventing lateral movement
Solutions like Cloudflare Access, Zscaler Private Access, and Microsoft Entra Private Access replace or supplement VPN
For organizations not ready for full ZTNA migration, network segmentation behind the VPN provides partial protection

4. Deploy 24/7 Monitoring with EDR/MDR

EDR (Endpoint Detection and Response) detects the post-exploitation tools these groups use — Cobalt Strike, Mimikatz, BloodHound
MDR (Managed Detection and Response) provides 24/7 human analysis — critical for catching attacks during nights and weekends when most ransomware is deployed
Integrate VPN appliance logs into your SIEM — monitor for brute-force attempts, unusual login times, and connections from unexpected geographies

5. Secure Your Backups Against Ransomware

Immutable backups that cannot be encrypted or deleted — even by a domain administrator
Air-gapped or offline backup copies that are physically disconnected from the network
Test restore procedures quarterly — backups that cannot be restored are worthless
Separate backup credentials from domain credentials — if domain admin is compromised, backup admin should still be safe

6. Eliminate Credential Reuse and Harvesting

Deploy a business password manager company-wide
Enforce unique passwords for VPN access — never shared with email or other services
Monitor dark web credential markets for employee email/password combinations
Disable browser password storage via Group Policy — prevents infostealer credential harvesting (the technique Qilin used in the Synnovis attack)

7. Conduct VPN-Specific Penetration Testing

Annual penetration testing should include VPN brute-force testing, credential-stuffing simulation, and vulnerability scanning of the VPN management interface
Verify that VPN management interfaces (admin consoles) are not accessible from the internet
Test incident response procedures specifically for VPN compromise scenarios

Qilin vs. Akira vs. Play: Threat Group Comparison

Attribute	Qilin	Akira	Play
First Seen	Mid-2022	March 2023	June 2022
Primary VPN Targets	Fortinet, Citrix	Cisco ASA, SonicWall, Ivanti	Fortinet, Cisco ASA
Confirmed Ransom Revenue	Unknown (significant)	$42 million+	Unknown (significant)
Ransom Range	$50K - $50M	$200K - $4M	$100K - $5M
Double Extortion	Yes	Yes	Yes
Average Dwell Time	5-14 days	3-7 days	Under 48 hours
Top Industries	Healthcare, Legal, Education	SMBs, Government, Education	SMBs, Government, Law Firms
RaaS Model	Yes (80/20 split)	Yes (Conti-linked)	Closed group
CISA Advisory	Multiple alerts	AA24-109A	AA23-352A

Why Small and Mid-Sized Businesses Are Primary Targets

Enterprise organizations have dedicated security teams, segmented networks, and incident response retainers. SMBs typically do not — and ransomware operators know this. Here is why businesses with 50-500 employees are disproportionately targeted:

VPN appliances managed by generalist IT staff — Without dedicated security expertise, firmware updates and security configurations are deprioritized against day-to-day support requests.
No 24/7 security monitoring — Ransomware is overwhelmingly deployed between Friday night and Monday morning. Without after-hours monitoring, attackers have an unobserved window measured in days.
Flat networks without segmentation — In many SMB environments, VPN access grants connectivity to every server, workstation, and printer on the network. There are no barriers to lateral movement.
Backup infrastructure on the same network — If your backup server is reachable from any workstation, it is reachable from a compromised VPN connection. Ransomware operators encrypt backups first.
Cyber insurance creates payment incentive — Insurers sometimes recommend payment when recovery costs exceed the ransom. Attackers calibrate demands to fall within typical policy limits ($100K-$1M for SMBs).
Higher payment rates — According to Sophos State of Ransomware 2025, organizations with fewer than 1,000 employees pay ransoms at roughly twice the rate of large enterprises — making them more profitable per attack.

What to Do Right Now: Your 7-Day VPN Security Sprint

You do not need a 6-month security roadmap to address the most critical VPN risks. Here is a 7-day action plan that addresses the specific attack vectors used by Qilin, Akira, and Play:

Day 1-2: Inventory and Patch

Identify every VPN appliance in your environment (including forgotten branch office devices)
Document firmware versions and compare against vendor security advisories
Apply all available security patches — prioritize the CVEs listed in this article
If an appliance is end-of-life and cannot be patched, plan immediate replacement

Day 3: MFA Enforcement

Audit every VPN account — identify any without MFA
Enable MFA on all remaining accounts with zero exceptions
Disable any VPN accounts for former employees or inactive users

Day 4: Logging and Monitoring

Enable verbose logging on VPN appliances
Forward VPN logs to your SIEM or monitoring platform
Create alerts for: failed login attempts (>5 in 10 minutes), logins from unusual countries, and logins outside business hours

Day 5: Access Restriction

Restrict VPN management interfaces to internal-only access
Implement geo-blocking — if your employees are only in the US, block VPN connections from other countries
Review VPN split-tunnel vs. full-tunnel configuration — limit the network segments accessible via VPN

Day 6-7: Backup Verification

Verify that backups are immutable (cannot be deleted by an admin account)
Confirm an air-gapped or offsite copy exists
Test a full restore of a critical system — document the process and time required
Ensure backup credentials are not stored in Active Directory or accessible via the same domain credentials

Stop VPN Ransomware Before It Starts

BRITECITY manages VPN security end-to-end for Orange County businesses.

From emergency patching and 24/7 monitoring to Zero Trust migration planning, our security team addresses every vector that Qilin, Akira, and Play exploit. We have responded to VPN-initiated ransomware incidents and know exactly what these groups look for — and how to make sure they do not find it in your network.

Schedule a Call View Security Services

Your VPN Is Under Siege: The 2026 Ransomware Landscape

Qilin Ransomware: The Healthcare and Professional Services Predator

Compromised VPN credentials — Harvested through phishing campaigns, infostealer malware, or purchased from initial access brokers (IABs) on dark web marketplaces. Qilin specifically targets organizations running VPNs without MFA enabled.
Fortinet FortiGate exploitation — Qilin affiliates have been observed exploiting CVE-2023-27997 (FortiOS heap buffer overflow, CVSS 9.2) and CVE-2024-21762 (FortiOS out-of-bound write, CVSS 9.6) to achieve remote code execution on VPN appliances without credentials.
Citrix NetScaler (Citrix Bleed) — The group exploited CVE-2023-4966 to hijack authenticated VPN sessions, bypassing MFA entirely by stealing session tokens.
Credential harvesting at scale — In the Synnovis attack, Qilin deployed a custom script that harvested Google Chrome credentials stored on every endpoint in the domain — a technique that turned a single breach into a supply-chain threat across connected organizations.

Post-Exploitation Tactics

Once inside the network, Qilin follows a predictable but devastating pattern:

Lateral movement using stolen credentials and tools like Cobalt Strike and Mimikatz
Data exfiltration before encryption — Qilin operates a double-extortion model, publishing stolen data on their leak site if ransom is not paid
Targeting VMware ESXi hypervisors to maximize damage — encrypting virtual machines takes down entire server infrastructure in minutes
Disabling backups and shadow copies before deploying the ransomware payload
Ransom demands ranging from $50,000 for small businesses to $50 million for large enterprises

Industries Most Targeted by Qilin

Healthcare and pathology services
Legal and professional services firms
Education institutions
Government agencies and courts (Lee County, FL clerk of courts was hit in 2024)
Manufacturing and automotive (Yanfeng International, a major automotive parts supplier)

Akira Ransomware: The $42 Million VPN Exploit Machine

Cisco ASA and FTD VPN exploitation — Akira is the most prolific exploiter of Cisco VPN vulnerabilities in the wild. They target CVE-2023-20269 (brute-force vulnerability in Cisco ASA/FTD VPN) to gain initial access through credential stuffing attacks against VPN endpoints without MFA.
SonicWall SMA and SSL-VPN exploitation — Akira affiliates exploit CVE-2024-40766 (SonicWall SMA improper access control, CVSS 9.3) and older SonicWall SSLVPN vulnerabilities to bypass authentication entirely.
Stolen VPN credentials without MFA — A significant portion of Akira intrusions begin with valid VPN credentials obtained from infostealer logs or dark web credential markets. Organizations running single-factor VPN authentication are primary targets.
Ivanti Connect Secure exploitation — In late 2024 and into 2025, Akira was observed exploiting CVE-2024-21887 (Ivanti Connect Secure command injection) chained with authentication bypass vulnerabilities to gain shell access on VPN appliances.

Post-Exploitation Tactics

Uses legitimate remote management tools (AnyDesk, RustDesk, RDP) to maintain persistence — making detection harder since these tools are often whitelisted
Deploys both Windows and Linux encryptors — the Linux variant specifically targets VMware ESXi virtual machines
Exfiltrates data using WinSCP, FileZilla, or cloud storage services before encryption
Disables EDR and security tools using Bring Your Own Vulnerable Driver (BYOVD) techniques
Average dwell time of 3-7 days — fast enough to avoid detection but long enough to map the entire network
Ransom demands typically range from $200,000 to $4 million, with payment exclusively in Bitcoin

Notable Akira Attacks

Stanford University (2023) — 430 GB of data stolen via compromised VPN credentials
Nissan Australia (2023) — 100 GB of corporate and customer data exfiltrated
Multiple US municipal governments, school districts, and healthcare providers throughout 2024-2025
Over 30 confirmed attacks on small and mid-sized businesses in California alone in 2025

Play Ransomware (PlayCrypt): The Domain Takeover Specialists

Fortinet FortiOS exploitation — Play operators are among the most aggressive exploiters of Fortinet VPN vulnerabilities, specifically CVE-2018-13379 (FortiOS path traversal — still being exploited in 2026 despite being patched in 2019), CVE-2020-12812 (improper authentication), and CVE-2024-21762 (out-of-bound write).
Cisco ASA VPN targeting — Play shares Akira's appetite for Cisco ASA vulnerabilities, using CVE-2023-20269 for brute-force attacks against VPN login portals.
Microsoft Exchange + VPN chaining — Play frequently combines VPN access with ProxyNotShell (CVE-2022-41082) Exchange vulnerabilities to escalate privileges rapidly. VPN gets them inside the perimeter; Exchange gives them domain admin.
RDP exposure through VPN access — Once inside via VPN, Play immediately scans for internal RDP services and uses credential-stuffing to pivot across the network.

Post-Exploitation Tactics

Uses custom tools including Grixba (network scanner) and VSS Copying Tool to enumerate and steal Volume Shadow Copies
Deploys AdFind and Bloodhound for Active Directory reconnaissance — mapping the fastest path to Domain Admin
Uses intermittent encryption (encrypting only portions of each file) to dramatically speed up the encryption process while still rendering files unrecoverable
Splits stolen data into RAR archive segments for exfiltration, often using cloud storage services
Double extortion with data published on their Tor leak site
Contact exclusively via email — no negotiation portals like other groups

Notable Play Attacks

City of Oakland, California (2023) — Declared a state of emergency; city services disrupted for weeks
Arnold Clark (UK's largest car dealership group) — Customer PII and financial data stolen
Rackspace (2022) — Hosted Exchange environment compromised, affecting thousands of customers
Multiple law firms, accounting practices, and MSPs targeted throughout 2024-2026

The VPN Vulnerabilities These Groups Are Exploiting Right Now

CVE-2024-21762 — Out-of-bound write (CVSS 9.6). Remote code execution. Exploited by Qilin and Play.
CVE-2023-27997 — Heap buffer overflow (CVSS 9.2). Pre-authentication RCE. Exploited by Qilin.
CVE-2024-47575 — FortiManager "FortiJump" (CVSS 9.8). Missing authentication for critical function. Used to pivot from FortiManager to managed FortiGate devices.
CVE-2018-13379 — Path traversal (CVSS 9.8). Still being exploited in 2026 despite being patched 7 years ago. Exploited by Play.

Cisco ASA / Firepower Threat Defense (FTD)

CVE-2023-20269 — Brute-force vulnerability in VPN services (CVSS 5.0, but massively exploited). Allows credential stuffing without lockout. Exploited by Akira and Play.
CVE-2024-20359 — Persistent local code execution on ASA. Used by nation-state group ArcaneDoor and subsequently adopted by ransomware operators.

SonicWall SMA / SSL-VPN

CVE-2024-40766 — Improper access control in SonicOS (CVSS 9.3). Exploited by Akira.
CVE-2024-53704 — SSL-VPN authentication bypass (CVSS 9.8). Allows session hijacking. Targeted actively in early 2025.

Ivanti Connect Secure (formerly Pulse Secure)

CVE-2024-21887 — Command injection (CVSS 9.1). Often chained with CVE-2023-46805 (authentication bypass) for unauthenticated RCE. Exploited by Akira.
CVE-2025-0282 — Stack-based buffer overflow (CVSS 9.0). Zero-day exploited in January 2025 before patches were available.

Palo Alto Networks GlobalProtect

CVE-2024-3400 — PAN-OS command injection (CVSS 10.0). Unauthenticated RCE on GlobalProtect VPN. Widely exploited before patch.

Why VPNs Are the Perfect Target for Ransomware Groups

VPN appliances sit at the exact intersection of factors that ransomware operators crave:

Internet-facing by design — VPN endpoints must be publicly accessible to function. Unlike internal servers, they are reachable by anyone on the internet, including attackers running automated vulnerability scanners 24/7.
Full network access on compromise — A compromised VPN grants the attacker the same network access as a legitimate remote employee — often with broad access to file servers, Active Directory, backup systems, and cloud services.
Patching is delayed or skipped — Many organizations treat VPN appliances as "set and forget" infrastructure. Patching requires maintenance windows, firmware downloads, and often a reboot that disconnects remote workers. This leads to delays measured in months, not days.
Legacy devices run indefinitely — End-of-life VPN appliances that no longer receive security updates are shockingly common in SMB environments. These devices have known, unpatched vulnerabilities that will never be fixed.
MFA is not enforced — A 2025 Rapid7 analysis found that over 40% of VPN-related compromises involved accounts without multi-factor authentication. Single-factor VPN is functionally an open door.
Limited visibility — Many VPN appliances generate minimal logging by default. Without proper SIEM integration, brute-force attempts and unauthorized logins go unnoticed until ransomware is deployed.
Credential reuse is rampant — When VPN credentials match corporate email passwords (which they often do), a single phished password gives attackers VPN access. Infostealer malware like Raccoon, RedLine, and Lumma harvest VPN credentials at industrial scale from compromised personal devices.

Is Your VPN Putting Your Business at Risk?

Schedule a Call View Security Services

Anatomy of a VPN Ransomware Attack: From Breach to Encryption in 48 Hours

Understanding the attack timeline helps clarify why speed of detection matters. Here is how a typical VPN-initiated ransomware attack unfolds:

Hour 0: Initial Access

Attacker exploits unpatched VPN vulnerability or uses stolen credentials
Establishes foothold on the VPN appliance or an internal system via VPN tunnel
Deploys persistence mechanisms (web shells, scheduled tasks, legitimate remote access tools)

Hours 1-6: Reconnaissance

Maps Active Directory with tools like BloodHound, AdFind, or SharpHound
Identifies domain administrators, file servers, backup systems, and cloud services
Harvests additional credentials using Mimikatz, LaZagne, or LSASS memory dumps
Enumerates security tools (EDR, AV) to plan evasion strategy

Hours 6-24: Lateral Movement and Data Exfiltration

Moves laterally via RDP, SMB, WMI, or PsExec using harvested credentials
Accesses file servers, databases, email archives, and financial systems
Stages sensitive data for exfiltration — client records, financial data, intellectual property, employee PII
Exfiltrates data to attacker-controlled infrastructure via encrypted channels

Hours 24-48: Ransomware Deployment

Disables or uninstalls EDR/antivirus using BYOVD techniques or admin privileges
Deletes Volume Shadow Copies and disables Windows Recovery
Targets backup infrastructure — Veeam servers, NAS devices, cloud backup agents
Deploys ransomware across all accessible systems simultaneously via Group Policy or PsExec
Ransom note appears. Clock starts on data publication threat.

How to Defend Your Business Against VPN Ransomware Attacks

Subscribe to vendor security advisories (Fortinet PSIRT, Cisco PSIRT, SonicWall Security Center, Ivanti Security Advisories)
Monitor CISA's KEV catalog — if a VPN CVE appears here, treat it as emergency patching
Maintain current firmware on all edge devices — no exceptions
Replace end-of-life appliances immediately — they will never receive patches for new vulnerabilities

2. Enforce Multi-Factor Authentication on All VPN Connections

MFA blocks the vast majority of credential-based attacks used by all three groups
Use phishing-resistant MFA (FIDO2 hardware keys or authenticator apps) — SMS-based MFA can be bypassed via SIM swapping
Apply MFA to 100% of VPN accounts with zero exceptions — a single account without MFA is all an attacker needs

3. Implement Zero Trust Network Access (ZTNA)

Traditional VPNs grant broad network access — ZTNA grants access only to specific applications based on user identity, device health, and context
Even if credentials are compromised, ZTNA limits the blast radius by preventing lateral movement
Solutions like Cloudflare Access, Zscaler Private Access, and Microsoft Entra Private Access replace or supplement VPN
For organizations not ready for full ZTNA migration, network segmentation behind the VPN provides partial protection

4. Deploy 24/7 Monitoring with EDR/MDR

EDR (Endpoint Detection and Response) detects the post-exploitation tools these groups use — Cobalt Strike, Mimikatz, BloodHound
MDR (Managed Detection and Response) provides 24/7 human analysis — critical for catching attacks during nights and weekends when most ransomware is deployed
Integrate VPN appliance logs into your SIEM — monitor for brute-force attempts, unusual login times, and connections from unexpected geographies

5. Secure Your Backups Against Ransomware

Immutable backups that cannot be encrypted or deleted — even by a domain administrator
Air-gapped or offline backup copies that are physically disconnected from the network
Test restore procedures quarterly — backups that cannot be restored are worthless
Separate backup credentials from domain credentials — if domain admin is compromised, backup admin should still be safe

6. Eliminate Credential Reuse and Harvesting

Deploy a business password manager company-wide
Enforce unique passwords for VPN access — never shared with email or other services
Monitor dark web credential markets for employee email/password combinations
Disable browser password storage via Group Policy — prevents infostealer credential harvesting (the technique Qilin used in the Synnovis attack)

7. Conduct VPN-Specific Penetration Testing

Annual penetration testing should include VPN brute-force testing, credential-stuffing simulation, and vulnerability scanning of the VPN management interface
Verify that VPN management interfaces (admin consoles) are not accessible from the internet
Test incident response procedures specifically for VPN compromise scenarios

Qilin vs. Akira vs. Play: Threat Group Comparison

Attribute	Qilin	Akira	Play
First Seen	Mid-2022	March 2023	June 2022
Primary VPN Targets	Fortinet, Citrix	Cisco ASA, SonicWall, Ivanti	Fortinet, Cisco ASA
Confirmed Ransom Revenue	Unknown (significant)	$42 million+	Unknown (significant)
Ransom Range	$50K - $50M	$200K - $4M	$100K - $5M
Double Extortion	Yes	Yes	Yes
Average Dwell Time	5-14 days	3-7 days	Under 48 hours
Top Industries	Healthcare, Legal, Education	SMBs, Government, Education	SMBs, Government, Law Firms
RaaS Model	Yes (80/20 split)	Yes (Conti-linked)	Closed group
CISA Advisory	Multiple alerts	AA24-109A	AA23-352A

Why Small and Mid-Sized Businesses Are Primary Targets

VPN appliances managed by generalist IT staff — Without dedicated security expertise, firmware updates and security configurations are deprioritized against day-to-day support requests.
No 24/7 security monitoring — Ransomware is overwhelmingly deployed between Friday night and Monday morning. Without after-hours monitoring, attackers have an unobserved window measured in days.
Flat networks without segmentation — In many SMB environments, VPN access grants connectivity to every server, workstation, and printer on the network. There are no barriers to lateral movement.
Backup infrastructure on the same network — If your backup server is reachable from any workstation, it is reachable from a compromised VPN connection. Ransomware operators encrypt backups first.
Cyber insurance creates payment incentive — Insurers sometimes recommend payment when recovery costs exceed the ransom. Attackers calibrate demands to fall within typical policy limits ($100K-$1M for SMBs).
Higher payment rates — According to Sophos State of Ransomware 2025, organizations with fewer than 1,000 employees pay ransoms at roughly twice the rate of large enterprises — making them more profitable per attack.

What to Do Right Now: Your 7-Day VPN Security Sprint

Identify every VPN appliance in your environment (including forgotten branch office devices)
Document firmware versions and compare against vendor security advisories
Apply all available security patches — prioritize the CVEs listed in this article
If an appliance is end-of-life and cannot be patched, plan immediate replacement

Day 3: MFA Enforcement

Audit every VPN account — identify any without MFA
Enable MFA on all remaining accounts with zero exceptions
Disable any VPN accounts for former employees or inactive users

Day 4: Logging and Monitoring

Enable verbose logging on VPN appliances
Forward VPN logs to your SIEM or monitoring platform
Create alerts for: failed login attempts (>5 in 10 minutes), logins from unusual countries, and logins outside business hours

Day 5: Access Restriction

Restrict VPN management interfaces to internal-only access
Implement geo-blocking — if your employees are only in the US, block VPN connections from other countries
Review VPN split-tunnel vs. full-tunnel configuration — limit the network segments accessible via VPN

Day 6-7: Backup Verification

Verify that backups are immutable (cannot be deleted by an admin account)
Confirm an air-gapped or offsite copy exists
Test a full restore of a critical system — document the process and time required
Ensure backup credentials are not stored in Active Directory or accessible via the same domain credentials

Stop VPN Ransomware Before It Starts

Schedule a Call View Security Services

VPN Ransomware Attacks in 2026: Qilin, Akira & Play Are Exploiting Your Remote Access | BRITECITY

Your VPN Is Under Siege: The 2026 Ransomware Landscape

Qilin Ransomware: The Healthcare and Professional Services Predator

Akira Ransomware: The $42 Million VPN Exploit Machine

Play Ransomware (PlayCrypt): The Domain Takeover Specialists

The VPN Vulnerabilities These Groups Are Exploiting Right Now

Why VPNs Are the Perfect Target for Ransomware Groups

Is Your VPN Putting Your Business at Risk?

Anatomy of a VPN Ransomware Attack: From Breach to Encryption in 48 Hours

How to Defend Your Business Against VPN Ransomware Attacks

Qilin vs. Akira vs. Play: Threat Group Comparison

Why Small and Mid-Sized Businesses Are Primary Targets

What to Do Right Now: Your 7-Day VPN Security Sprint

Stop VPN Ransomware Before It Starts

Common Questions About This Topic

Which VPN brands are most targeted by ransomware in 2026?

How do ransomware groups get into VPNs?

Should we replace our VPN with Zero Trust?

What should we do if we think our VPN has been compromised?

How often should VPN firmware be updated?

Explore More IT Topics

Cybersecurity Checklist 2026

Work Device Security 2026

Network Security Checklist

Ready to Discuss Your IT Needs?

VPN Ransomware Attacks in 2026: Qilin, Akira & Play Are Exploiting Your Remote Access | BRITECITY

Your VPN Is Under Siege: The 2026 Ransomware Landscape

Qilin Ransomware: The Healthcare and Professional Services Predator

Akira Ransomware: The $42 Million VPN Exploit Machine

Play Ransomware (PlayCrypt): The Domain Takeover Specialists

The VPN Vulnerabilities These Groups Are Exploiting Right Now

Why VPNs Are the Perfect Target for Ransomware Groups

Is Your VPN Putting Your Business at Risk?

Anatomy of a VPN Ransomware Attack: From Breach to Encryption in 48 Hours

How to Defend Your Business Against VPN Ransomware Attacks

Qilin vs. Akira vs. Play: Threat Group Comparison

Why Small and Mid-Sized Businesses Are Primary Targets

What to Do Right Now: Your 7-Day VPN Security Sprint

Stop VPN Ransomware Before It Starts

Common Questions About This Topic

Which VPN brands are most targeted by ransomware in 2026?

How do ransomware groups get into VPNs?

Should we replace our VPN with Zero Trust?

What should we do if we think our VPN has been compromised?

How often should VPN firmware be updated?

Explore More IT Topics

Cybersecurity Checklist 2026

Work Device Security 2026

Network Security Checklist

Ready to Discuss Your IT Needs?