In 2026, three ransomware operations — Qilin, Akira, and Play — are aggressively exploiting VPN vulnerabilities to breach business networks. They target unpatched Fortinet, Cisco, SonicWall, and Ivanti appliances to bypass perimeter defenses and deploy ransomware. Orange County businesses relying on traditional VPN are at heightened risk without proactive patching and monitoring.
The Threat Landscape
Virtual Private Networks have been the backbone of remote access for decades. In 2026, they are also the single most exploited entry point for ransomware operators. According to CISA’s Known Exploited Vulnerabilities catalog, VPN and edge-device flaws now account for more than 30% of all actively exploited vulnerabilities — a figure that has doubled since 2023.
The reason is architectural. VPN appliances sit directly on the internet, run complex software stacks with large attack surfaces, and typically grant broad network access once a user authenticates. A single unpatched vulnerability or stolen credential gives an attacker the same network position as a trusted employee sitting in the office. From there, lateral movement, privilege escalation, and ransomware deployment follow a well-rehearsed playbook.
Three ransomware groups have built their entire operations around VPN compromise: Qilin, Akira, and Play. Each targets different VPN products, uses distinct post-exploitation techniques, and focuses on different business sizes — but they share one common trait: they move fast, exfiltrate data before encrypting, and double-extort victims who refuse to pay.
Attack Anatomy
From initial VPN exploit to full encryption, the typical attack chain completes in 24-72 hours.
Initial Access
VPN exploit or stolen credentials
Stage 1Lateral Movement
Cobalt Strike, RDP, stolen tokens
Stage 2Privilege Escalation
Domain admin via Mimikatz / AD abuse
Stage 3Data Exfiltration
WinSCP, FileZilla, cloud staging
Stage 4Ransomware Deploy
Encrypt systems, destroy backups
Stage 5Attack Timeline: 3-7 Days
From initial VPN compromise to full ransomware deployment, most attacks complete in 3-7 days. The exfiltration stage ensures double-extortion leverage before encryption begins — by the time you see the ransom note, your data is already stolen.
The Numbers
30%+
of actively exploited CVEs target VPN and edge devices
Source: CISA KEV Catalog 2026
$42M
confirmed ransom payments collected by Akira alone
Source: FBI/CISA Advisory AA24-109A
200+
confirmed attacks by Qilin, Akira & Play in Q1 2026
Source: Threat Intelligence Reports
3-7
days from VPN compromise to full ransomware deployment
Source: Incident Response Data
Threat Profile #1
Qilin (also written as “Quilin”) first surfaced in mid-2022 as a ransomware-as-a-service operation offering affiliates an 80/20 revenue split — among the most generous in the RaaS ecosystem. Written in Rust and Go, Qilin encrypts Windows, Linux, and VMware ESXi simultaneously.
Exploits Fortinet FortiGate CVE-2023-27997 (CVSS 9.2) and CVE-2024-21762 (CVSS 9.6) for remote code execution. Also targets Citrix NetScaler CVE-2023-4966 (Citrix Bleed) to hijack authenticated sessions and bypass MFA by stealing session tokens.
Lateral movement via Cobalt Strike and Mimikatz. Targets VMware ESXi hypervisors to encrypt entire virtual infrastructures. Disables backups and shadow copies. In the Synnovis attack, deployed custom scripts to harvest Chrome credentials across every domain endpoint.
Exfiltrates data before encryption and publishes on their leak site if ransom is refused. Demands range from $50,000 for small businesses to $50 million for enterprises. Primary targets: healthcare, legal, education, and government.
Threat Profile #2
Akira emerged in March 2023 and immediately distinguished itself through attack speed and volume. Within its first year, Akira compromised over 250 organizations and collected approximately $42 million in ransom payments — confirmed by the FBI and CISA joint advisory (AA24-109A) published in April 2024. The group has strong technical overlaps with the defunct Conti ransomware operation.
Akira has built its playbook almost entirely around VPN compromise. Their primary entry vectors include Cisco ASA/FTD VPN exploitation via CVE-2023-20269 (brute-force vulnerability enabling credential stuffing without MFA), SonicWall SMA exploitation via CVE-2024-40766 (improper access control, CVSS 9.3), and Ivanti Connect Secure exploitation via CVE-2024-21887 (command injection chained with authentication bypass).
Post-exploitation, Akira uses legitimate remote management tools like AnyDesk and RustDesk to maintain persistence — making detection harder since these tools are often whitelisted by security software. They deploy both Windows and Linux encryptors, with the Linux variant specifically targeting VMware ESXi virtual machines. Data exfiltration occurs via WinSCP, FileZilla, or cloud storage services before encryption begins. Average dwell time is 3-7 days.
Cisco ASA/FTD, SonicWall SMA, Ivanti Connect Secure
Credential stuffing on VPNs without MFA, CVE exploitation
$200,000 - $4 million (Bitcoin only)
Bring Your Own Vulnerable Driver (BYOVD) technique
Threat Profile #3
Play (also known as PlayCrypt) is a rapidly growing ransomware operation that specifically targets businesses with fewer than 250 employees. Unlike Qilin and Akira, which often pursue larger organizations, Play has optimized its attack chain for speed — achieving full domain compromise in hours rather than days.
Play’s distinguishing technique is chaining VPN vulnerabilities with Active Directory attacks. The group exploits FortiOS VPN vulnerabilities and Ivanti Connect Secure flaws for initial access, then immediately pivots to Active Directory enumeration using tools like AdFind and BloodHound. By identifying misconfigured Group Policy Objects, weak service account passwords, and Kerberoastable accounts, Play escalates to domain admin privileges within hours of initial VPN compromise.
Data exfiltration follows a predictable pattern: Play uses WinRAR to compress sensitive files and stages them on attacker-controlled infrastructure before deploying the encryptor. Ransom demands typically range from $100,000 to $2 million. The group operates a data leak site where non-paying victims’ data is published in stages, increasing pressure to pay with each disclosure.
Play’s focus on smaller organizations makes it a direct threat to businesses across Orange County, Irvine, and the broader Southern California region — companies that often lack dedicated security teams and rely on aging VPN infrastructure for remote access.
Side-by-Side
Each group has distinct tactics, targets, and revenue models. Understanding the differences helps prioritize your defenses.
Mid-market (100-1,000 employees)
Fortinet & Citrix VPN exploits, credential theft
$50K - $50M (scales with revenue)
Custom tools, double-extortion leak site
3-6 weeks average
SMB to mid-market (20-500 employees)
Cisco ASA/FTD & SonicWall VPN exploits
$200K - $4M (Bitcoin only)
WinSCP, FileZilla, cloud staging
2-4 weeks average
SMB (10-250 employees)
FortiOS & Ivanti VPN + AD chaining
$100K - $2M
WinRAR archives to attacker infrastructure
2-5 weeks average
Vulnerability Intelligence
CVE-2023-27997
Fortinet FortiOS
Heap buffer overflow
CVE-2024-21762
Fortinet FortiOS
Out-of-bound write
CVE-2023-20269
Cisco ASA/FTD
Brute-force vulnerability
CVE-2024-40766
SonicWall SMA
Improper access control
CVE-2024-21887
Ivanti Connect Secure
Command injection
CVE-2023-4966
Citrix NetScaler
Session hijacking (Citrix Bleed)
Attack Anatomy
Every VPN-based ransomware attack follows this five-stage pattern. Understanding the chain helps identify where your defenses can break it.
Initial Access
VPN exploit or stolen credentials
Lateral Movement
Cobalt Strike, RDP, stolen tokens
Privilege Escalation
Domain admin via Mimikatz / AD
Data Exfiltration
WinSCP, FileZilla, cloud staging
Ransomware Deploy
Encrypt systems, destroy backups
Attack Timeline: 3-7 Days
From initial VPN compromise to full ransomware deployment, most attacks complete in 3-7 days. Data exfiltration begins within 24-48 hours — by the time the ransom note appears, your data is already stolen.
The Alternative
Action Plan
These seven actions address the specific techniques used by Qilin, Akira, and Play. Prioritize them in order — each step reduces your attack surface.
Audit VPN patch status immediately — check Fortinet, Cisco, SonicWall, Ivanti, and Citrix appliances against CISA KEV catalog
Closes the exact vulnerabilities Qilin, Akira, and Play exploit
Enforce MFA on every VPN connection — no exceptions for service accounts or legacy clients
Blocks credential-stuffing attacks used by Akira and Qilin
Enable VPN login monitoring — alert on logins from unusual geolocations, times, or devices
Detects compromised credentials before lateral movement begins
Segment the network — isolate VPN landing zones from critical servers and domain controllers
Limits blast radius even if VPN is compromised
Deploy EDR with 24/7 monitoring — detect Cobalt Strike, Mimikatz, and lateral movement tools
Catches post-exploitation activity during the 3-7 day dwell window
Test backup recovery — verify backups are isolated, immutable, and restorable within your RTO
Ensures recovery without paying ransom after encryption
Evaluate ZTNA migration — replace VPN with per-application access via Cloudflare Access, Zscaler, or Microsoft Entra Private Access
Eliminates the VPN attack surface entirely
Emergency Response
If you suspect a VPN compromise, speed is critical. The difference between a contained incident and a full ransomware deployment is often measured in hours. Do not simply patch the appliance and reconnect — the attacker has likely established persistence through additional backdoors.
Isolate the VPN appliance from the network immediately
Reset ALL credentials — not just VPN accounts. Assume lateral movement has occurred and reset Active Directory, service accounts, and API keys
Engage an incident response provider to perform forensic analysis and identify the full scope of compromise
Check for data exfiltration indicators — unusual outbound data transfers, new cloud storage connections, or large file archives
Preserve all logs from the VPN appliance, firewall, EDR, and Active Directory for forensic analysis
After containment, rebuild the VPN appliance from a known-good image and implement MFA before reconnecting
VPN appliances sit at the network edge with direct internet exposure, run complex software with frequent critical vulnerabilities, and often grant broad network access once compromised. Ransomware groups like Qilin, Akira, and Play specifically scan for unpatched VPN appliances because a single exploit provides the same access as a trusted employee.
Fortinet FortiGate, Cisco ASA/FTD, SonicWall SMA, Ivanti Connect Secure, and Citrix NetScaler are the most targeted VPN products. CISA maintains a Known Exploited Vulnerabilities catalog listing actively exploited CVEs in these products. Businesses running any of these appliances should verify patch status immediately.
Qilin is a ransomware-as-a-service operation targeting healthcare and professional services through Fortinet and Citrix exploits, with ransoms up to $50 million. Akira focuses on Cisco and SonicWall VPNs, has collected over $42 million in confirmed payments, and targets SMBs. Play chains VPN exploits with Active Directory attacks for rapid domain compromise, primarily hitting businesses under 250 employees.
Orange County businesses should patch VPN appliances within 48 hours of critical CVE disclosure, enforce MFA on all VPN connections, monitor VPN logs for anomalous login patterns, and evaluate replacing traditional VPN with Zero Trust Network Access (ZTNA). Managed IT providers like BRITECITY in Irvine provide 24/7 monitoring and rapid patching for businesses across Orange County.
For most businesses, yes. ZTNA grants per-application access instead of full network access, eliminating the lateral movement that makes VPN compromises so devastating. Solutions like Cloudflare Access, Zscaler Private Access, and Microsoft Entra Private Access provide ZTNA at price points accessible to small businesses. BRITECITY helps Irvine and Orange County businesses migrate from VPN to ZTNA without disrupting operations.
Most VPN-based ransomware attacks progress from initial access to full encryption in 3-7 days. Akira averages 3-7 days of dwell time, while Qilin and Play may take slightly longer to map larger environments. Data exfiltration typically begins within 24-48 hours of initial compromise, ensuring double-extortion leverage before encryption.
Immediately isolate the VPN appliance from the network, reset all credentials (not just VPN accounts — assume lateral movement), engage an incident response provider, check for data exfiltration indicators, and preserve logs for forensic analysis. Do not simply patch and reconnect — the attacker likely established persistence through additional backdoors.
BRITECITY helps businesses across Irvine, Newport Beach, and Orange County eliminate VPN vulnerabilities through proactive patching, 24/7 monitoring, and Zero Trust migration. Find out if your remote access is secure.