Organizations are under threat as Akira ransomware operators intensify attacks on SonicWall firewall SSL VPN services. The attacks began in mid‑July 2025 and accelerated rapidly. Evidence suggests a likely zero‑day vulnerability, though credential-based access remains a possible entry method.
Timeline and Scope
Attacks spiked around July 15, with multiple companies targeted within hours. Researchers noted that even fully patched SonicWall devices fell victim. Some victims had enabled multi-factor authentication and rotated credentials—but threat actors still breached systems.
Akira ransomware first appeared in March 2023. Since then, it has claimed over 250 victims globally and collected more than $42 million in ransom payments. Activities continue to ramp up in 2025.
How Attackers Operated
Victims experienced VPN account compromises via SonicWall SSL VPN portals. In several cases, attackers used hosting provider networks instead of typical broadband ISPs for VPN access. This detail offered a clue to defenders.
Infected networks moved swiftly—typically from password-based access to data encryption in hours. Analysts believe the use of virtual private servers helped attackers hide their operations.
Vulnerability Versus Credentials
The breach campaign could stem from a previously unknown zero‑day flaw in SonicWall SSL VPN code. Arctic Wolf Labs stated that some successful attacks occurred despite MFA and password updates. However, some incidents may also stem from credential stuffing or brute‑force techniques.
Security Recommendations
Administrators should consider temporarily disabling SonicWall SSL VPN services until patches appear. Additional recommended steps include:
- Enforce multi-factor authentication for all remote access
- Remove unused or inactive firewall user accounts
- Monitor VPN logs and activity patterns closely
- Block authentication from hosting-related networks (ASNs)
- Enable firewall security features such as Botnet Protection
Organizations with SonicWall SMA 100 series appliances should review logs for anomalies and apply any relevant firmware updates.
Why It Matters
This campaign demonstrates how attackers can exploit VPN access points even in hardened environments. SonicWall firewalls often serve as critical remote access gateways. When attackers infect these endpoints, they can escalate quickly.
Conclusion
The surge of Akira ransomware against SonicWall SSL VPN services marks a serious threat to enterprise security. Even patched devices face risk, possibly due to zero-day vulnerabilities. Organizations should lock down VPN access, enforce strong authentication, and monitor closely until a patch is available.
0 responses to “Surge of Akira Ransomware Hits SonicWall Firewall Devices”