Akira Ransomware Targeting SonicWall SSL VPN

Description

Since mid-July 2025, cybersecurity firms, including Arctic Wolf, Huntress, Field Effect, and others, have observed a surge in ransomware activity by the Akira group, with initial access leveraging SonicWall SSL VPN appliances, notably Gen 7 and newer devices with SSLVPN enabled.

While early speculation leaned toward a zero-day exploit due to incidents involving fully patched devices, SonicWall and multiple researchers now assert high confidence that the activity stems from the exploitation of CVE-2024-40766. This vulnerability notably arises when local account credentials are carried over during migration from Gen 6 to Gen 7 without password resets.

In parallel, Akira has demonstrated a rapid post-access chain of behavior, including disabling security tools, deploying ransomware, and exfiltrating data. In some cases, they’ve deployed a “bring-your-own-vulnerable-driver” (BYOD) technique to disable Microsoft Defender via the malicious installation of a driver that is supported by a legitimate driver.

Impact

Exploitation of SonicWall SSL VPNs by Akira carries serious repercussions:

• Unauthorized Access: Attackers gain entry to networks via compromised VPN access.
• Rapid Tooling: Evidence shows a short time window between VPN compromise and ransomware execution.
• Security Evasion: Installs drivers to disable antivirus/EDR, evades detection, deletes backups, and encryption routines follow swiftly.
• Broad Targeting: Akira has impacted hundreds of organizations globally, including MSPs, SMBs, and sectors like education, healthcare, IT, manufacturing, and finance.
• Credential Reuse Risk: Legacy or service accounts (e.g., LDAP bind accounts) can be overprivileged, enabling lateral movement when compromised.

Recommendations

Immediate Steps

1. Disable SonicWall SSL VPN where feasible, as this is the most reliable risk mitigation.
2. If SSL VPN cannot be disabled, restrict access via IP allow-listing (trusted IPs only), and apply network segmentation to limit lateral movement.
3. Reset all local user account passwords, especially those migrated from Gen 6 to Gen 7 without change.
4. Upgrade to SonicOS version 7.3.0 (or newer), which includes protections for brute-force attack mitigation, improved MFA, and other security enhancements.

Security Hygiene

• Enable MFA on all remote access gateways—even though MFA may not be foolproof in this context, it remains a critical layer.
• Enable Botnet Protection and Geo-IP Filtering on SonicWall appliances to reduce exposure to unauthorized access attempts.
• Audit and remove unused or inactive accounts, including service, LDAP, and administrative accounts; enforce least privilege principles.
• Rotate service account credentials (e.g., LDAP bind accounts), and limit permissions strictly to required tasks.

Detection & Response

• Review VPN logs for abnormal access patterns such as login from VPS IP ranges, failed login spikes, or unusual geographic origins.
• Forward logs to SIEM or MDR platforms, set detection rules for anomalous activity, and monitor for ransomware deployment behaviors like driver loading or VSS deletion.
• Ensure backup integrity and test recovery processes regularly.

References

Arctic Wolf | SonicWallTenable®

For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link.

Threat Advisory
Team Accorian