A recent wave of Akira ransomware attacks has drawn renewed attention to the security of SonicWall SSL VPN appliances, with evidence suggesting cybercriminals are leveraging a likely zero-day vulnerability or advanced attack techniques to compromise even fully-patched devices.
Overview of Akira Ransomware Activity
Since July 2025, cybersecurity researchers have observed a significant escalation in Akira ransomware incidents specifically targeting organizations using SonicWall firewall and SSL VPN appliances. Notably, both outdated and fully updated devices have been breached, indicating attackers may be taking advantage of undisclosed vulnerabilities or sophisticated credential abuse that bypasses existing protections.
A majority of these intrusions have been associated with the critical SonicOS vulnerability tracked as CVE-2024-40766. This improper access control flaw allows unauthorized access to protected resources via SonicWall devices. Although SonicWall released patches in August 2024, several organizations that had applied all known updates still reported compromises, raising concerns of a zero-day exploit or unidentified attack pathway.
Attack Techniques and Observations
- Entry Method: Initial access was routinely gained through unauthorized use of the VPN service. Attack origins were frequently traced to cloud hosting or VPS infrastructure, potentially masking the attackers’ true locations.
- Ransomware Deployment: Once internal access was obtained, threat actors often deployed ransomware rapidly—typically within two hours—to maximize damage before detection or response.
- Prevalence: Akira ransomware was implicated in approximately 75% of the observed SonicWall attacks; the remainder were attributed to Fog ransomware.
- Data Theft: Concurrent with file encryption, attackers actively exfiltrated data, sometimes targeting up to 30 months’ worth of sensitive records. Critical business folders were prioritized for theft.
- Weak Authentication: Many intrusions appeared to occur via compromised credentials. In the investigated cases, affected VPN accounts did not employ multi-factor authentication (MFA), leaving them more vulnerable to theft or brute force attacks.
- Industry Spread: The attacks were opportunistic, impacting organizations across a wide range of sectors rather than focusing on any single industry.
Recommended Defensive Measures
- Patch Immediately: All organizations with SonicWall VPN appliances should ensure they have implemented the latest firmware updates, including those addressing CVE-2024-40766.
- Access Controls: Limit management and SSL VPN access to trusted IP addresses and consider disabling remote access portals when not in use.
- Continuous Monitoring: Monitor VPN logs closely for unusual login patterns, particularly from cloud infrastructure IP addresses, and watch for early indicators of ransomware activity.
- Credential Management: Enforce strong, unique passwords for all remote access and mandate MFA wherever technically possible.
- Backup Strategy: Maintain offline, regularly tested backups of critical data to enable recovery in the event of ransomware deployment.
