Akira Ransomware Targets SonicWall VPNs in Likely Zero-Day Attacks
A recent report from Arctic Wolf Labs has revealed that the Akira ransomware group is exploiting a likely zero-day vulnerability in SonicWall SSL VPNs to target fully patched devices. This sophisticated attack highlights the evolving nature of cybersecurity threats and the importance of staying vigilant against even the most seemingly secure systems.
In late July 2025, Arctic Wolf Labs observed multiple intrusions via VPN access, with evidence suggesting a likely zero-day vulnerability in SonicWall VPNs. The attackers were able to bypass security measures, including two-factor authentication (MFA) and rotated credentials, leaving many organizations vulnerable to exploitation.
The report states that while credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out, available evidence points to the existence of a zero-day vulnerability. This means that even fully patched SonicWall devices were affected in some cases, highlighting the critical need for organizations to stay up-to-date with security patches.
Ransomware activity targeting SonicWall SSL VPNs has surged since July 15, 2025, with similar cases dating back to October 2024. The attackers often use Virtual Private Server (VPS) hosting for VPN logins, unlike legitimate access from ISPs, making it difficult for organizations to detect and block these malicious attempts.
Arctic Wolf observed short delays between access and encryption, which is a common tactic used by ransomware groups to create a sense of urgency and panic among their victims. To mitigate this threat, the researchers recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
Recommended Defenses
SonicWall advises enforcing MFA for all remote access, removing unused firewall accounts, and implementing regular password updates. Organizations should also consider blocking VPN authentication from hosting-related Autonomous System Numbers (ASNs) to limit exposure to malicious VPN logins.
These steps can help improve security but may not fully prevent the described threat. It is essential for organizations to stay vigilant and adapt their cybersecurity strategies to address emerging threats like Akira ransomware.
A Brief History of Akira Ransomware
The Akira ransomware group has been active since March 2023, with a history of targeting multiple organizations in various industries, including education, finance, and real estate. The group has also developed a Linux encryptor to target VMware ESXi servers.
Conclusion
The recent discovery of the Akira ransomware vulnerability in SonicWall SSL VPNs serves as a stark reminder of the importance of staying up-to-date with security patches and adapting to emerging threats. Organizations must take proactive measures to protect themselves against these types of attacks, including disabling vulnerable services, enforcing MFA, and implementing regular password updates.
Stay informed about the latest cybersecurity threats by following us on Twitter: @securityaffairs and Facebook, and Mastodon.