In Q3 2025, Beazley Security found that 48% of ransomware incidents originated from compromised VPN credentials. Not phishing. Not software exploitation. Logging in. Corvus Insurance and Travelers backed it up: VPN credentials were the entry point in 44% of ransomware claims across full-year 2025, up from 36% in 2024.
The attacker who entered Change Healthcare‘s network in February 2024 used a stolen Citrix password. No malware was introduced. No alert fired. Nine days of undetected access followed, ending with ransomware deployed across systems holding 190 million Americans’ health records. The single enabling factor, confirmed by UnitedHealth CEO Andrew Witty under congressional testimony, was no multi-factor authentication on that Citrix portal.
That is the structural problem this article is about. It is one piece of ransomware’s quantum-AI mutation — the broader shift in how ransomware groups now operate, attacking identity rather than exploiting software. Most organisations have built their security architecture around endpoint detection and antivirus — tools designed for a threat model that is no longer dominant. The fix is straightforward: enforce MFA on VPN first, then evaluate zero trust network access.
Why Is Endpoint Detection No Longer Enough to Catch Most Ransomware?
Endpoint Detection and Response tools and antivirus software work by identifying malicious software — scanning for known signatures, flagging suspicious executables, detecting anomalous process behaviour.
When an attacker uses stolen credentials to log into a VPN, none of that happens. No malicious binary executes. The attacker authenticates as a legitimate user and the VPN lets them in. MITRE ATT&CK classifies this as technique T1078 — Valid Accounts — noting that adversaries “may choose not to use malware or tools in conjunction with the legitimate access those credentials provide.”
This is not a flaw in specific EDR products. It is a structural limitation of the entire detection approach when the threat does not involve malware.
The implication is important: heavy investment in endpoint tools means building a defence with a blind spot that now covers nearly half of all ransomware entry points. EDR still has value after an attacker is inside — lateral movement may surface in telemetry if the right rules are configured — but catching post-access activity is a much harder problem than blocking access in the first place.
What Does the 48% VPN Credential Statistic Actually Tell Us?
The 48% figure means that in nearly half of ransomware incidents, the attacker did not need to exploit a vulnerability or craft a phishing email. They just logged in.
And no competing technique exceeded 8% of incidents. The concentration of risk in VPN credentials is not distributed across several vectors — it is dominant. The supply side confirms it: Rapid7‘s analysis of underground forums in H2 2025 found RDP and VPN credentials as the most commonly listed access types sold by Initial Access Brokers, the criminal intermediaries who buy and resell network access to ransomware affiliates.
For anyone making security decisions, the implication is simple. The probability the attacker entered via a VPN credential is close to a coin-flip. That probability alone justifies treating VPN credential security as the top defensive priority — before additional endpoint tooling, before anything else.
How Does Credential-Based Access Work — and Why Do Security Tools Miss It?
The attack sequence does not look like a sophisticated intrusion. It looks like a supply chain.
Step 1 — Infostealer infection. An employee or contractor device is infected with an infostealer — malware like Lumma, RedLine, Vidar, or StealC — distributed via phishing, malvertised downloads, or fake browser update prompts.
Step 2 — Credential extraction. Within minutes, the infostealer extracts stored browser credentials, VPN configurations, and session cookies.
Step 3 — Underground sale. Stolen data is sold on dark web marketplaces or Telegram channels. Initial Access Brokers validate that access still works and resell it to ransomware affiliates.
Step 4 — VPN login. The affiliate logs in using the stolen credentials. From the network’s perspective: an authorised remote session. No malware. No alert.
Step 5 — Lateral movement and ransomware. The attacker has broad internal network access — a structural property of traditional VPN architecture. They escalate privileges, exfiltrate data, and deploy ransomware.
Here is the critical detail: infostealers frequently run on personal laptops and contractor devices with no corporate EDR agent. The infection never touches a monitored asset. So the attacker logs into the corporate VPN without any corporate security tool having seen the initial compromise.
Kyber ransomware’s credential-based initial access followed this same pattern, as did how VECT distributed via TeamPCP’s supply chain access as a credential precursor. The Change Healthcare breach in February 2024 is the clearest illustration of where this ends up.
What Happened in the Change Healthcare Breach — and What Could Have Stopped It?
On 12 February 2024, an ALPHV/BlackCat affiliate used the stolen username and password of a customer support employee to access Change Healthcare’s Citrix remote access portal. No MFA was enforced on that portal.
The attacker moved through the network undetected for nine days. By 21 February, attackers had exfiltrated data covering 190 million Americans — the largest healthcare data breach in US history. When Change Healthcare went offline, 94% of hospitals reported financial impact.
UnitedHealth paid approximately $22 million in Bitcoin to ALPHV/BlackCat. Two days later, ALPHV’s leadership exit-scammed their own affiliate and kept the payment. The affiliate took the stolen data to RansomHub, which demanded a second ransom. Patient data appeared on dark web leak sites despite the $22 million payment. Total direct response costs exceeded $2.9 billion.
Andrew Witty’s congressional testimony: “Attackers accessed the network through a Citrix portal protected only by a password. No multi-factor authentication was required.”
What would have stopped it: MFA on the Citrix portal. A stolen credential without a second factor is useless if the portal requires one. That single missing control enabled everything that followed.
How Do I Enforce MFA on Our VPN Before Anything Else?
MFA on VPN is the single highest-priority action you can take. Start here.
MFA type matters. SMS-based MFA can be defeated via SIM swapping and MFA fatigue attacks — repeated push notifications until a user accidentally approves one. Authenticator app (TOTP) is the practical minimum. Hardware FIDO2 keys are the strongest option but require procurement effort.
Audit all VPN access points first. Legacy Citrix and SonicWall portals inherited through acquisitions often sit outside standard IT review cycles. Akira targeted SonicWall SSLVPN devices specifically because of absent MFA.
Enrol all users, no exceptions. The instinct to treat certain accounts as low-risk enough to skip MFA is the instinct that produces incidents. Change Healthcare proved it with a customer support account.
Set a hard rollout deadline and hold it. A deadline that slides is not a deadline.
Watch your authentication logs. Repeated failed push approvals followed by a success signals MFA fatigue. Configure alerts for this pattern.
Dark web credential monitoring — Constella Intelligence, SpyCloud, HaveIBeenPwned Enterprise — alerts you when employee credentials appear on underground markets, giving you a window to force password resets before an attacker exploits the access.
When Is Zero Trust Network Access Worth the Investment for a Smaller Organisation?
Zero Trust Network Access (ZTNA) is a modern alternative to VPN that grants access per-application rather than per-network, and continuously verifies identity rather than trusting anyone already inside the perimeter.
The key difference from VPN is what happens when credentials are compromised. Authenticate once with VPN and you get broad internal access — the blast radius covers everything the VPN can reach. ZTNA inverts this. Access is scoped to specific applications, so a compromised credential limits rather than maximises the damage.
Sequencing matters. Enforce MFA first. ZTNA without MFA relocates the credential entry vector rather than closing it. Corvus and Travelers are direct about it: “A transition to ZTNA isn’t realistic for every organisation, especially if the organisation wants to act quickly in the face of increased VPN attacks.”
Act now on ZTNA if: you have multiple third-party contractors requiring remote access, you handle regulated health or financial data, or you are deploying new remote access infrastructure from scratch — in which case there is no reason to start with VPN.
Plan for next budget cycle if: MFA is enforced, RBAC is configured, and monitoring is in place. In this configuration, ZTNA is the correct next step, not an emergency. Budget 3–6 months for a proper migration.
SMB-accessible options include Cloudflare Access, Tailscale, Twingate, and Zscaler Private Access — all cloud-delivered, priced per-user per-month. For the broader ransomware mutation threat landscape and what that means for your security investment, see our comprehensive overview of ransomware’s quantum-AI mutation.
Frequently Asked Questions
What percentage of ransomware attacks start with stolen credentials?
Beazley Security’s Q3 2025 report found 48% of ransomware initial access originated from compromised VPN credentials. Corvus Insurance and Travelers corroborated this at 44% for full-year 2025, up from 36% in 2024. No other initial access vector exceeded 8% of incidents.
What is MITRE T1078 and why does it matter for ransomware defence?
T1078 — Valid Accounts — is MITRE ATT&CK’s formal classification for adversaries using legitimate credentials to gain access. It matters because it explains why endpoint tools do not detect this class of attack: the authentication is valid by design. Detection rules for T1078 focus on behavioural anomalies — unusual login times, impossible travel, multiple failed MFA attempts followed by success.
How did attackers get into Change Healthcare without setting off alarms?
Stolen Citrix portal credentials. No MFA was enforced, so the login appeared legitimate. No malware was introduced at entry. The attacker moved laterally for nine days before ransomware deployment — confirmed by UnitedHealth CEO Andrew Witty in congressional testimony.
Can ransomware get in even if we have antivirus or EDR installed?
Yes. EDR detects malicious software and suspicious process behaviour. Credential-based access does not involve malware at the entry point — the attacker logs in legitimately. EDR can still surface post-access lateral movement, but it cannot compensate for an absent authentication control at the VPN perimeter.
What are infostealers and how do stolen credentials end up in ransomware attacks?
Infostealers — Lumma, RedLine, Vidar, StealC — extract stored passwords, VPN configurations, and browser session cookies. Stolen data is sold to Initial Access Brokers on underground markets within hours of infection. IABs validate and resell access to ransomware affiliates who log into corporate VPNs without deploying any additional malware.
SMS two-factor vs. authenticator app — which actually stops ransomware entry?
SMS-based MFA can be defeated via SIM swapping and MFA fatigue. Authenticator app (TOTP) is significantly more resistant and is the minimum recommendation for most organisations. Hardware FIDO2 keys provide the strongest protection. Any MFA is better than none — but treat SMS as a transitional step, not a final position.
How fast can attackers use stolen credentials after they appear underground?
Cyfirma‘s analysis found ransomware execution can occur in less than 48 hours after credentials appear in underground markets. The nine-day dwell time in the Change Healthcare case represents post-access reconnaissance, not a delay in initial entry. The window for forcing a password reset before exploitation is measured in hours.
What is an Initial Access Broker and how do they fit into a ransomware attack?
An Initial Access Broker is a criminal intermediary who acquires access to corporate networks — via stolen credentials or exploited vulnerabilities — validates it, and sells it to ransomware affiliates. Rapid7’s H2 2025 analysis found VPN and RDP credentials as the most commonly listed access types. US-based organisations account for 30.9% of all IAB listings.
How do I check if employee credentials are already circulating on dark web markets?
Dark web credential monitoring services scan underground marketplaces, stealer log repositories, and Telegram channels for your organisation’s email domains. Services like HaveIBeenPwned Enterprise, Constella Intelligence, and SpyCloud send automated alerts when matched credentials appear. An alert should trigger an immediate forced password reset and MFA review for affected accounts.
Is MFA alone enough to stop credential-based ransomware, or do we also need zero trust?
MFA on VPN closes the primary 48% entry vector. It is the single highest-impact action available. ZTNA addresses the residual risk: if an attacker obtains both factors via session cookie theft or MFA fatigue, ZTNA limits blast radius by restricting access to specific applications. Enforce MFA first, evaluate ZTNA as the architectural next step.
How do attackers move through a network after getting in through VPN?
Traditional VPN grants broad internal network access after a single authentication. Attackers use this to conduct reconnaissance, escalate privileges, exfiltrate data, and deploy ransomware. EDR can surface signals during this phase — but only if detection rules for T1078 post-access indicators have been configured.
Does paying a ransomware demand protect the organisation from data exposure?
The Change Healthcare case is the answer. UnitedHealth paid $22 million. ALPHV’s leadership exit-scammed their own affiliate and kept the payment. RansomHub then re-extorted using the same stolen data. Payment provides no contractual guarantee. The only protection is detecting the intrusion during the dwell period — before ransomware deploys, not after.
