VPN credential theft emerges as top ransomware entry point

According to a Beazley Security report, nearly 50 percent of ransomware attacks in Q3 2025 used stolen VPN credentials as their initial access vector.
vpn, credentials, ransomware, access vector, beazley security, akira ransomware, compromised logins, multi-factor authentication, initial access

Cyber Express reports that compromised VPN credentials are now the most common method for ransomware attackers to gain entry. In Q3 2025, nearly half of all ransomware incidents began with valid, stolen VPN logins.

The analysis, based on data from Beazley Security (the insurance arm of Beazley), reveals that threat actors are increasingly exploiting remote access tools, rather than relying solely on software exploits or phishing.

Notably, VPN misuse accounted for more initial access than social engineering, supply chain attacks or remote desktop credential compromises.

One contributing factor is that many organisations do not enforce multi-factor authentication (MFA) or maintain strict access controls for VPN accounts. Cyber Express highlights that this situation underscores the ‘critical need’ for MFA and for firms to monitor for credential leaks on the dark web.

The report also mentions specific ransomware groups such as Akira, Qilin and INC, which are known to exploit compromised VPN credentials, often via brute-force attacks or credential stuffing.

From a digital-security policy standpoint, the trend has worrying implications. It shows how traditional perimeter security (like VPNs) is under pressure, and reinforces calls for zero-trust architectures, tighter access governance and proactive credentials-monitoring.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot