SonicWall VPNs Under Attack: Akira Ransomware Exploits Zero-Day Vulnerabilities
TL;DR
- Akira ransomware targets fully patched SonicWall VPNs, suggesting a zero-day vulnerability.
- Multiple intrusions were observed in late July 2025, despite MFA and credential rotation.
- Organizations are advised to disable SonicWall SSL VPN service until a patch is available.
Akira Ransomware Targets SonicWall VPNs
Akira ransomware has been identified exploiting SonicWall SSL VPNs in a suspected zero-day attack, compromising even fully patched devices. Researchers at Arctic Wolf Labs reported multiple intrusions via VPN access in late July 2025. Evidence indicates a probable zero-day vulnerability in SonicWall VPNs, as fully patched devices with multi-factor authentication (MFA) and rotated credentials were still compromised1.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability.”
Timeline and Attack Patterns
Ransomware activities targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used Virtual Private Server (VPS) hosting for VPN logins, unlike legitimate access typically originating from broadband internet service providers2.
“In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.”
Recommended Defenses
Researchers recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed. SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. Regular password updates and blocking VPN authentication from hosting-related ASNs can also help limit exposure to malicious VPN logins3.
Historical Context
Akira ransomware has been active since March 2023, targeting multiple organizations across various industries, including education, finance, and real estate. The threat actors behind this malware have developed a Linux encryptor to target VMware ESXi servers, similar to other ransomware gangs4.
Follow for Updates
For more updates, follow on:
About the Author
For more details, visit the full article: source
Conclusion
The threat posed by Akira ransomware to SonicWall VPNs underscores the critical need for robust security measures. Organizations must remain vigilant and proactive in their defense strategies to mitigate potential vulnerabilities and protect against evolving cyber threats.
Additional Resources
For further insights, check:
References
-
Arctic Wolf Labs (2025). “Arctic Wolf observes July 2025 uptick in Akira ransomware activity targeting SonicWall SSL VPN”. Arctic Wolf. Retrieved 2025-08-03. ↩︎
-
Security Affairs (2025). “Akira ransomware targets Finnish organizations”. Security Affairs. Retrieved 2025-08-03. ↩︎
-
Security Affairs (2024). “Fog Akira ransomware SonicWall VPN flaw”. Security Affairs. Retrieved 2025-08-03. ↩︎
-
Security Affairs (2023). “Akira ransomware decryptor”. Security Affairs. Retrieved 2025-08-03. ↩︎