A new wave of cyberattacks targeting organizations using SonicWall firewalls has been actively deploying Akira ransomware since late July 2025.
Security researchers at Arctic Wolf Labs detected a surge in this activity, which remains ongoing. Threat actors are gaining initial access through malicious SSL VPN logins, successfully bypassing multi-factor authentication (MFA), and then rapidly moving to encrypt data within hours.
The campaign appears to be an opportunistic mass exploitation, affecting victims across various sectors. The initial point of entry is a malicious login to a SonicWall SSL VPN, often originating from Virtual Private Server (VPS) hosting providers instead of typical corporate networks.
Alarmingly, attackers have successfully authenticated against accounts protected with SonicWall’s One-Time Password (OTP) MFA feature.
SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024.
The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched.
This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.
Once inside a network, the attackers operate with remarkable speed. The time from initial access to ransomware deployment, known as “dwell time,” is often measured in hours, with some intrusions taking as little as 55 minutes, Arctic Wolf said. This extremely short window for response makes early detection critical.
Attack Sequence
Attackers use compromised credentials to log into SonicWall SSL VPNs, bypassing OTP MFA. Within minutes of logging in, attackers begin internal network scanning for open ports like SMB (445), RPC (135), and SQL (1433). They use tools like Impacket, SoftPerfect Network Scanner, and Advanced IP Scanner for discovery and lateral movement.
The threat actors create new administrator accounts, escalate privileges for existing accounts, and install remote management tools like AnyDesk, TeamViewer, and RustDesk to maintain access. They also establish persistence using SSH reverse tunnels and Cloudflare Tunnels.
To operate undetected, attackers attempt to disable endpoint security products like Windows Defender and other EDR solutions. They use a “bring-your-own-vulnerable-driver” (BYOVD) technique to tamper with security software at the kernel level and delete Volume Shadow Copies to prevent system restoration.
Before encryption, attackers steal sensitive data. They package files using WinRAR and exfiltrate them with tools like rclone and FileZilla. Finally, they deploy the Akira ransomware (using executables named akira.exe or locker.exe) to encrypt network drives and demand a ransom.
Arctic Wolf recommends that organizations using SonicWall devices take immediate action. The most critical step is to reset all SSL VPN credentials, including related Active Directory accounts, especially if the devices have ever run firmware vulnerable to CVE-2024-40766. Patching alone is insufficient if credentials have already been compromised.
Organizations should also monitor for suspicious VPN logins from hosting providers and look for anomalous SMB activity indicative of Impacket use.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
