Akira Ransomware Exploits 0-Day Vulnerability in SonicWall Firewall Devices

Cybersecurity firm Arctic Wolf has identified a significant increase in ransomware attacks targeting SonicWall firewall devices in late July 2025, with evidence pointing to the exploitation of a previously unknown zero-day vulnerability.

The company’s investigation revealed multiple coordinated attacks using SonicWall SSL VPNs as the initial access point, raising serious concerns about the security of these widely deployed network devices.

Akira Ransomware Wxploiting Possible 0-Day

The ransomware campaign, primarily involving the Akira ransomware group, demonstrates concerning capabilities to circumvent standard security protocols.

Arctic Wolf researchers observed that attackers successfully compromised accounts even when Time-based One-Time Password (TOTP) multi-factor authentication was enabled, suggesting the vulnerability allows bypassing traditional authentication mechanisms.

In several documented cases, fully patched SonicWall devices were compromised immediately after organizations rotated their credentials, indicating that conventional security updates were insufficient to prevent these intrusions.

The attack timeline reveals a pattern of rapid escalation, with ransomware encryption occurring within a short interval after initial SSL VPN access.

While Arctic Wolf has not definitively ruled out brute force attacks, dictionary attacks, or credential stuffing in all cases, the evidence strongly suggests the existence of a zero-day vulnerability that attackers are actively exploiting.

Key Attack Indicators:

• Multiple pre-ransomware intrusions were observed within short time periods.
• Compromise of fully patched SonicWall devices following credential rotation.
• Successful account takeover despite TOTP MFA being enabled.
• Rapid progression from initial access to ransomware deployment.
• Campaign activity traced back to October 2024 with intensification since July 15, 2025.

Technical Analysis Reveals Coordinated Infrastructure

Arctic Wolf’s analysis uncovered distinctive patterns in the attack methodology that help differentiate malicious activity from legitimate network access.

Unlike typical VPN logins that originate from broadband internet service provider networks, the ransomware groups consistently used Virtual Private Server hosting infrastructure for authentication in compromised environments.

This tactical approach provides attackers with greater anonymity and operational flexibility.

The campaign’s roots trace back to at least October 2024, when similar malicious VPN login patterns were first observed, though the intensity significantly increased beginning July 15, 2025.

This extended timeline suggests a well-established operation that has refined its techniques over several months.

The attackers have demonstrated sophisticated knowledge of network security infrastructure, successfully targeting organizations across multiple sectors.

Suspicious Network Infrastructure:

• AS23470 – ReliableSite.Net LLC.
• AS215540 – Global Connectivity Solutions LLP.
• AS64236 – UnReal Servers, LLC.
• AS14315 – 1GSERVERS, LLC.
• AS62240 – Clouvider Limited.

Emergency Recommendations and Defensive Measures

Given the severity of the threat, Arctic Wolf has issued urgent recommendations for organizations using SonicWall SSL VPN services.

The primary recommendation is to disable SonicWall SSL VPN functionality entirely until an official patch becomes available and can be deployed.

This drastic measure reflects the high confidence level that a zero-day vulnerability exists and is being actively exploited.

Additional protective measures include implementing comprehensive logging and monitoring through managed detection and response services, deploying endpoint detection agents, and following SonicWall’s security hardening best practices.

Organizations are also advised to review and potentially block VPN authentication attempts from specific hosting-related Autonomous System Numbers (ASNs) that have been associated with malicious activity.

Arctic Wolf has identified several suspicious ASNs, including ReliableSite.Net LLC, Global Connectivity Solutions LLP, and others that attackers have leveraged for their operations.

The company continues its investigation and has committed to sharing additional findings as they become available, emphasizing the evolving nature of this significant cybersecurity threat.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!