A sharp uptick in Akira ransomware activity is exploiting SonicWall remote access infrastructure, potentially via an unpatched zero-day.
Akira Ransomware Campaign Intensifies Against SonicWall SSL VPNs With Possible Zero-Day and Credential Abuse
Since mid-July, the Akira ransomware group has increasingly targeted SonicWall firewall environments, especially SSL VPN endpoints, in a fast-moving campaign that moves from access to encryption with little delay. Researchers at Arctic Wolf Labs have tracked multiple intrusions beginning around July 15 where attackers gained entry through compromised SonicWall SSL VPN accounts. The pattern mirrors activity seen since at least October 2024, pointing to a sustained and evolving focus on these devices.
Arctic Wolf warns that while a zero-day vulnerability is highly plausible in facilitating these breaches, credential-based techniques such as brute force, dictionary attacks, and credential stuffing remain possible initial vectors in some cases.
“The initial access methods have not yet been confirmed in this campaign,” the researchers said. “While the existence of a zero-day vulnerability is highly plausible, credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases.”
The attackers were also observed authenticating from virtual private servers (VPS)—a deviation from typical enterprise or consumer broadband traffic—suggesting deliberate infrastructure use to obscure origin and increase reliability of access. Once inside via SSL VPN, Akira operators rapidly proceed to deploy ransomware, encrypting data and adding victims to their leak portal.
Immediate Mitigation Guidance Amid Ongoing Investigation
Given the elevated risk and the potential for unpatched exploitation, Arctic Wolf recommends:
- Temporarily disabling SonicWall SSL VPN services until more clarity or remediation is available.
- Enabling enhanced logging to monitor authentication and lateral movement.
- Deploying robust endpoint monitoring to detect post-compromise activity.
- Blocking VPN authentication attempts originating from hosting provider IP ranges unless explicitly required.
The investigation into the precise attack chain is ongoing, with Arctic Wolf promising to share additional technical indicators as they become available.
SMA 100 Appliances Under Separate Pressure; Rootkit Activity and Patch advisory
Complicating the SonicWall ecosystem risk profile is recent activity involving SMA 100 appliances. One week before the Akira surge reporting, SonicWall issued a warning to customers to patch CVE-2025-40599, a critical vulnerability that could allow remote code execution if an attacker already has administrative privileges. While there’s no public evidence that CVE-2025-40599 itself is currently exploited in the wild, the devices are being actively targeted through compromised credentials to deploy the OVERSTEP rootkit, according to the Google Threat Intelligence Group (GTIG).
SonicWall strongly urged operators of both virtual and physical SMA 100 units to review logs for signs of compromise, check for indicators of compromise (IoCs) from GTIG’s reporting, and contact support immediately if anomalies are detected.
A SonicWall spokesperson did not respond to requests for comment at the time of reporting.
