The Akira ransomware group has begun weaponizing vulnerabilities in SonicWall SSL VPN devices, turning merger-and-acquisition (M&A) processes into high-speed launchpads for cyberattacks.
This trend exposes dangerous blind spots for businesses acquiring smaller companies, as inherited SonicWall devices often serve as easy entry points for attackers.
How Akira Ransomware Targets M&A Environments
During mergers and acquisitions, acquiring companies often inherit IT infrastructure with outdated security practices.
Akira operators exploit these weaknesses, swiftly exfiltrating sensitive data and deploying ransomware.
According to Relia Quest, in recent incidents analyzed between June and October 2025, attackers gained initial access to larger enterprise networks using SonicWall SSL VPN appliances left over from smaller, acquired companies.
Once inside, Akira’s operators seek out privileged credentials, many of which are carried over during the M&A transition.
These credentials, usually unknown to the acquiring business and left unmonitored, provide rapid access to vital systems.
In some cases, attackers moved from initial compromise to a domain controller in just five hours, well before defenders could respond.
Small- and medium-sized businesses value SonicWall SSL VPNs for their affordability and ease of use. However, these benefits come with risks:
- Widespread deployment: Popular among smaller firms, SonicWall devices often end up in environments acquired during M&A.
- Default configurations: Many appliances operate with unchanged passwords, legacy admin accounts, and outdated settings.
- Unpatched vulnerabilities: Hasty deployments and resource constraints often lead to patching being overlooked.
- Exposed features: Remote access tools are sometimes accessible from the internet, leaving sensitive systems unprotected.
These factors make SonicWall devices reliable entry points for ransomware groups looking to exploit inherited security weaknesses.
Once Akira operators compromise a SonicWall device, they rapidly scan for high-value hosts.
Predictable naming conventions inherited from the acquired business make it easy for attackers to locate targets such as domain controllers and file servers.
In several cases, attackers exfiltrated data within minutes of gaining access, then laterally moved to deploy ransomware within an hour.
One particular weakness was inconsistent endpoint protection. Inherited networks frequently lacked modern EDR (Endpoint Detection and Response) solutions or had disabled protection.
Akira operators exploited these gaps by using DLL sideloading to disable defenses before encrypting systems.
The rapid adoption of SonicWall devices in smaller companies, paired with inherited security debt, creates complex risks during M&A:
- Stale credentials: Old admin accounts from managed service providers remain active and unmonitored post-acquisition.
- Missing inventories: Not all assets are tracked during integration, giving attackers places to hide.
- Mix-and-match security: Different security tools and protocols can leave gaps, which attackers exploit to move unobstructed.
Without rigorous asset discovery and credential hygiene, defenders are left vulnerable, with inherited weaknesses exposing the entire organization.
With fast-moving ransomware like Akira, early action is key to preventing devastating breaches and protecting sensitive data.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
