Ransomware

Akira Ransomware Targets SonicWall VPNs in Suspected Zero-Day Attacks

(Adobe Stock)

Ransomware operators linked to the Akira group are targeting SonicWall SSL VPN appliances in what appears to be a zero-day campaign, reports Security Affairs. Arctic Wolf Labs has tracked multiple intrusions from mid to late July, all tied to VPN access, even on fully patched devices. In some cases, attackers bypassed multi-factor authentication and gained access shortly after credentials were reset, signaling that traditional safeguards aren’t holding up.

While brute-force or credential-stuffing attacks haven’t been completely ruled out, patterns point toward an undisclosed vulnerability in SonicWall’s VPN stack. Arctic Wolf’s analysis shows that logins came from virtual private servers, not typical broadband networks, and that encryption began soon after initial access - clear signs of automation and intent.

The surge in Akira activity isn't isolated to this month. Similar behavior traces back to October 2024, showing a consistent focus on VPN infrastructure. That persistence, combined with the bypassing of MFA and use of VPS-hosted infrastructure, makes this campaign especially dangerous for organizations still relying on exposed VPNs as their front line.

Until a patch is issued, Arctic Wolf has recommended disabling SonicWall’s SSL VPN service altogether. SonicWall itself advises reinforcing endpoint protections and narrowing authentication paths, including blocking login attempts from known hosting providers.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

You can skip this ad in 5 seconds