· Ransomware · 2 min read
Akira Ransomware Hits SonicWall VPNs in Zero-Day Attack
The Akira ransomware group is actively targeting SonicWall SSL VPN devices, with a significant surge in attacks observed in late July 2025.
Potential Zero-Day Vulnerability
According to a new report from Arctic Wolf Labs, the method of initial access strongly suggests an unpatched vulnerability may be at play.
“In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” stated Julian Tuin, a researcher at Arctic Wolf Labs.
The cybersecurity firm noted that the attacks could be exploiting an as-yet-undetermined security flaw, meaning a zero-day, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn’t been ruled out entirely.
The uptick in attacks targeting SonicWall SSL VPNs was first registered on July 15, 2025. Arctic Wolf mentioned that it has observed similar malicious VPN logins as far back as October 2024, suggesting a sustained campaign against these devices.
Rapid Attack Timeline
A key indicator of this campaign is the speed of the attack.
“A short interval was observed between initial SSL VPN account access and ransomware encryption,” the report said. “In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.”
SonicWall has not yet responded to queries for further details on this activity.
Recommended Mitigations
Given the likelihood of a zero-day vulnerability, organizations are advised to take immediate action:
- Consider disabling the SonicWall SSL VPN service until a patch is released and deployed.
- Enforce multi-factor authentication (MFA) for all remote access.
- Delete inactive or unused local firewall user accounts.
- Follow strict password hygiene best practices.
Akira’s Rising Threat Profile
Since its emergence in March 2023, the Akira ransomware gang has become a significant threat. As of early 2024, the actors are estimated to have extorted approximately $42 million from over 250 victims.
Data from Check Point reveals that Akira was the second most active ransomware group in the second quarter of 2025, just behind Qilin, with 143 victims claimed during that period.
“Akira ransomware maintains a special focus on Italy, with 10% of its victims from Italian companies compared to 3% in the general ecosystem,” Check Point noted.
Share this post
News Feed
Get the Hottest Cybersecurity News Delivered to You!
Thank you!
You have successfully joined our subscriber list.
