Article illustration 1

A dangerous surge of Akira ransomware attacks is exploiting SonicWall firewall appliances, with cybersecurity firm Arctic Wolf observing a sharp increase in intrusions since mid-July. The attacks potentially leverage an unidentified zero-day vulnerability in SonicWall's SSL VPN services, though credential-based attacks remain possible.

The Akira Threat Landscape

Since emerging in March 2023, Akira ransomware has compromised over 300 organizations globally, including high-profile victims like Nissan, Hitachi, and Stanford University. The FBI confirms the gang has extorted over $42 million from more than 250 victims as of April 2024.

"While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases," cautioned Arctic Wolf researchers.

Attack Patterns and Tactics

Intrusions begin with unauthorized SSL VPN access, followed by alarmingly rapid deployment of ransomware—sometimes within hours. This pattern matches activity observed since October 2024, indicating a sustained campaign. Notably, attackers used virtual private servers (VPS) for VPN authentication, unlike legitimate connections that typically originate from residential ISPs.

Critical Mitigation Strategies

With evidence suggesting active exploitation of an unpatched vulnerability, Arctic Wolf advises:
1. Immediately disable SonicWall SSL VPN services
2. Enhance VPN authentication logging and endpoint monitoring
3. Block VPN access from hosting provider IP ranges
4. Hunt for indicators of compromise (IoCs) across all network segments

This warning follows SonicWall's recent alert about CVE-2025-40599—a critical flaw in SMA 100 appliances requiring urgent patching. Though unrelated to the current Akira campaign, it highlights attackers' focus on SonicWall infrastructure. Google's Threat Intelligence Group also reported credential-based attacks deploying the OVERSTEP rootkit against SMA 100 devices.

As investigations continue, the convergence of ransomware sophistication and potential zero-day exploitation underscores the fragility of perimeter defenses. Until patches emerge, organizations must assume their SonicWall firewalls are vulnerable entry points and implement aggressive containment measures.