Akira ransomware targets fully patched SonicWall VPNs in suspected zero-day attacks, with multiple intrusions seen in late July 2025.
Arctic Wolf Labs researchers reported that Akira ransomware is exploiting SonicWall SSL VPNs in a likely zero-day attack, targeting even fully patched devices. Arctic Wolf Labs observed multiple intrusions via VPN access in late July 2025. Evidence suggests a likely zero-day in SonicWall VPNs, as fully patched devices with MFA and rotated credentials were still compromised in some attacks.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability.” reads the report published by Arctic Wolf Labs. “In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances.”
Ransomware activity targeting SonicWall SSL VPNs surged from July 15, 2025, with similar cases dating back to October 2024. Attackers often used VPS hosting for VPN logins, unlike legitimate access from ISPs. Arctic Wolf observed short delays between access and encryption and is applying its own recommended defenses internally.
“In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.” continutes the report.
The researchers recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
SonicWall advises enabling security services like Botnet Protection, enforcing MFA for all remote access, and removing unused firewall accounts. The experts recommend regular password updates. To limit exposure to malicious VPN logins, organizations should consider blocking VPN authentication from hosting-related ASNs, though full blocking could disrupt operations. These steps help improve security but may not fully prevent the described threat.
The Akira ransomware has been active since March 2023, the threat actors behind the malware hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Akira ransomware)
