Akira Ransomware Targets SonicWall VPNs in Likely Zero-Day Attacks
August 03, 2025
Understanding the Threat of Akira Ransomware
In a significant cybersecurity development, Arctic Wolf Labs researchers have reported that Akira ransomware is exploiting vulnerabilities in SonicWall SSL VPNs, with indications that these might be zero-day attacks. The alarming aspect lies in the fact that attackers are managing to breach even fully patched devices, raising questions about the robustness of existing security measures.
The surge in ransomware activity targeting SonicWall SSL VPNs became apparent around July 15, 2025. Notably, this isn’t an isolated incident; previous attacks can be traced back to October 2024. During this period, numerous organizations experienced intrusions facilitated through VPN access, leading to serious concerns about the integrity of remote work environments.
What is Akira Ransomware?
Emerging on the cyber scene in March 2023, Akira ransomware has since plagued numerous sectors, including education, finance, and real estate. With attacks leveraging various tactics, including a recently developed Linux encryptor designed explicitly to target VMware ESXi servers, Akira’s versatility makes it particularly menacing.
According to Arctic Wolf Labs, evidence suggests a potential zero-day vulnerability in SonicWall VPNs. Their report illustrates that even when fully patched, compromised accounts still suffered breaches, often despite the implementation of Multi-Factor Authentication (MFA) and rigorous credential rotation. This poses a critical question: How are attackers gaining access to these systems?
Methods of Attack
While some instances can still be attributed to traditional attack vectors—such as brute-force attempts, dictionary attacks, and credential stuffing—the evidence strongly suggests a zero-day vulnerability is at play. One particularly striking observation noted by Arctic Wolf researchers is that attackers frequently log in from Virtual Private Servers (VPS), an anomaly when compared to standard access that usually derives from networks operated by broadband internet service providers. The swift transition from access to encryption underscores the efficiency and ruthlessness of these attackers.
This use of VPS logins serves as a critical red flag, differentiating between legitimate and malicious access attempts. Organizations are advised to remain vigilant and scrutinize login sources closely to stem potential breaches.
Recommended Mitigations
In light of these breaches, Arctic Wolf Labs has made several recommendations for organizations looking to bolster their defenses against this growing threat. They recommend disabling SonicWall SSL VPN services until a robust patch is made available and deployed. While this action might seem drastic, given the compelling evidence of vulnerabilities, it may be necessary to prevent further compromises.
SonicWall has also issued guidance directing users to implement vital security services, such as Botnet Protection, and to enforce MFA for all remote access scenarios. Removing unnecessary firewall accounts and conducting regular updates of passwords are further steps organizations can take. However, it’s important to note that while these measures can enhance security, they may not completely eliminate the threat.
Organizations are also encouraged to consider blocking VPN authentications from hosting-related Autonomous System Numbers (ASNs). This could mitigate risk from malicious logins but may simultaneously disrupt legitimate operations, creating a challenging balancing act for security teams.
The Ripple Effect
The implications of these attacks extend beyond immediate organizational concerns; they pose questions about the security landscape as a whole. As ransomware groups evolve, they continuously exploit emerging vulnerabilities. The Akira ransomware situation exemplifies the cat-and-mouse game between threat actors and cybersecurity measures. Only through persistent vigilance and proactive defense strategies can organizations hope to navigate this ever-evolving threat landscape effectively.
For those eager to stay informed about such developments, follow updates on Twitter: @securityaffairs, and on platforms like Facebook and Mastodon.
Stay proactive, stay informed!
(SecurityAffairs – hacking, Akira ransomware)