Akira Ransomware Exploits 0-Day Vulnerability in SonicWall Firewall Devices

Threat Score:
81
5 articles
100.0% similarity
18 hours ago

Activity Timeline

5 articles
Click to navigate
Aug 01
Aug 01
Aug 02
Aug 02
Aug 02
Oldest
Latest

Key Insights

1
A surge in Akira ransomware attacks targeting SonicWall SSL VPN devices has been reported, with evidence suggesting exploitation of a potential zero-day vulnerability in late July 2025.
2
Cybersecurity firm Arctic Wolf noted that attackers compromised fully-patched SonicWall devices shortly after credential rotation, indicating that traditional security measures were insufficient.
3
The Akira ransomware group has reportedly collected over $42 million in ransom payments from more than 250 victims as of April 2024, highlighting the severity of this ongoing threat.
4
Incidents involving SonicWall SSL VPNs began to escalate on July 15, 2025, with Arctic Wolf observing rapid ransomware encryption following initial VPN access.
5
SonicWall has not yet confirmed the nature of the attacks, but experts caution that both zero-day vulnerabilities and credential-based attacks remain under investigation.
6
Organizations are advised to disable SonicWall SSL VPNs and implement additional security measures while awaiting further guidance from SonicWall.

Threat Overview

In late July 2025, a significant increase in ransomware attacks targeting SonicWall SSL VPN devices has been reported, primarily attributed to the Akira ransomware group. Cybersecurity firm Arctic Wolf has highlighted that attackers appear to be exploiting a potential zero-day vulnerability, which allows unauthorized access to corporate networks. 'In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,' said Arctic Wolf researcher Julian Tuinsaid. The uptick in attacks was first noted on July 15, 2025, with some incidents involving fully-patched SonicWall devices, suggesting that traditional security measures may not be effective in preventing these intrusions.

The Akira ransomware group, which emerged in March 2023, has claimed responsibility for numerous high-profile attacks and has reportedly collected over $42 million in ransom payments from more than 250 victims. The FBI has noted that the group has targeted organizations across various sectors, including major companies like Nissan and Hitachi. Arctic Wolf's investigation reveals that attackers have successfully compromised accounts even when multi-factor authentication (MFA) was enabled, indicating a significant bypass of standard security protocols.

The attack chain involves unauthorized access through SonicWall SSL VPNs, with a rapid escalation observed between initial access and ransomware encryption. Arctic Wolf noted that legitimate VPN logins typically originate from networks operated by broadband internet service providers, whereas attackers often use Virtual Private Server hosting for VPN authentication in compromised environments. 'A short interval was observed between initial SSL VPN account access and ransomware encryption,' Arctic Wolf stated, emphasizing the urgency of the situation.

Following the surge in attacks, organizations are advised to take immediate action. SonicWall has not yet issued specific patches or mitigations, but security experts recommend disabling SonicWall SSL VPNs and employing additional security measures to protect sensitive data. The security community is on high alert as investigations continue into the methods used by the Akira ransomware group and the potential vulnerabilities being exploited.

As the situation develops, organizations are encouraged to closely monitor updates from SonicWall and cybersecurity firms to ensure they implement the latest protective measures against these ongoing threats.

Tactics, Techniques & Procedures (TTPs)

T1078
Valid Accounts - Attackers may use compromised accounts to gain initial access through SonicWall SSL VPNs [1][2]
T1190
Exploit Public-Facing Application - Attackers exploit the suspected zero-day vulnerability for unauthorized access [2][4]
T1556
Credential Dumping - Attackers may bypass MFA, compromising accounts even after credential rotation [2][4]
T1566
Phishing - Potential use of phishing techniques to harvest credentials prior to VPN access [5]
T1203
Exploitation for Client Execution - Attackers may leverage the vulnerability for executing ransomware payloads [4]
T1059
Command and Scripting Interpreter - Ransomware encryption occurs rapidly after gaining access [1][3]
T1036
Masquerading - Use of legitimate VPN connections to mask malicious activity [1][5]

Timeline of Events

2024-10
Initial malicious VPN logins targeting SonicWall devices observed [1]
2025-07-15
Significant increase in Akira ransomware attacks targeting SonicWall SSL VPNs begins [1][5]
2025-07-20
Arctic Wolf reports multiple pre-ransomware intrusions involving SonicWall devices [2]
2025-07-25
Evidence of ransomware encryption occurring shortly after initial VPN access is confirmed [4]
2025-08-01
Cybersecurity Dive reports on the surge of attacks linked to potential zero-day vulnerabilities [3]
2025-08-02
Arctic Wolf publishes findings on the attacks, with recommendations for organizations [1][4]

Source Citations

expert_quotes: {'SonicWall response': 'Article 1', 'Julian Tuinsaid, Arctic Wolf': 'Article 1', 'FBI report on Akira ransomware': 'Article 5'}
primary_findings: {'Increased ransomware activity': 'Articles 1, 2, 4', 'Potential zero-day vulnerability': 'Articles 2, 3, 4', 'Financial impact of Akira ransomware': 'Article 5'}
technical_details: {'Attack methods': 'Articles 1, 2, 5', 'Exploitation patterns': 'Articles 3, 4'}
Powered by ThreatCluster AI
Generated 5 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

5 articles
1

Akira Ransomware Exploits 0-Day Vulnerability in SonicWall Firewall Devices

GB Hackers 7 hours ago

Akira Ransomware Exploits 0-Day Vulnerability in SonicWall Firewall Devices Cybersecurity firm Arctic Wolf has identified a significant increase in ransomware attacks targeting SonicWall firewall devices in late July 2025, with evidence pointing to the exploitation of a previously unknownzero-day vulnerability. The company’s investigation revealed multiple coordinated attacks using SonicWall SSL VPNs as the initial access point, raising serious concerns the security of these widely deployed netw

Score
80
100.0% similarity
Read more
2

Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices

The Hacker News 9 hours ago

SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. "In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs," Arctic Wolf Labs researcher Julian Tuinsaidin a report. The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meanin

Score
79
100.0% similarity
Read more
3

SonicWall Firewall Devices 0-day Vulnerability Actively Exploited by Akira Ransomware

Cybersecurity News 8 hours ago

A suspected zero-day vulnerability in SonicWall firewall devices that the Akira ransomware group is actively exploiting. The flaw allows attackers to gain initial access to corporate networks through SonicWall’s SSL VPN feature, leading to subsequent ransomware deployment. In late July 2025, security researchers observed a significant increase in ransomware attacks leveraging SonicWall devices. The evidence […]

Score
76
100.0% similarity
Read more
5
SonicWall firewall devices hit in surge of Akira ransomware attacks

SonicWall firewall devices hit in surge of Akira ransomware attacks

BleepingComputer 22 hours ago

SonicWall firewall devices hit in surge of Akira ransomware attacks Sergiu Gatlan August 1, 2025 01:28 PM 0 SonicWall firewall devices have been increasingly targeted since late July in a surge of Akira ransomware attacks, potentially exploiting a previously unknown security vulnerability, according to cybersecurity company Arctic Wolf. Akiraemergedin March 2023 and quickly claimed many victims worldwide across various industries. Over the last two years, Akira has added over 300 organizations t

Score
59
96.0% similarity
Read more