A new wave of cyberattacks involving the Akira ransomware group has targeted SonicWall SSL VPN devices, even those running the latest security patches. The attacks, which began gaining traction in mid-July 2025, have raised concerns that a zero-day vulnerability may be at play.
According to a report by Arctic Wolf Labs, threat actors linked to the Akira ransomware have been using SonicWall SSL VPNs as a potential entry point to infiltrate networks. These intrusions occurred within short time frames and often led to full ransomware deployment shortly after gaining VPN access.
“In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” said Julian Tuin, a researcher at Arctic Wolf Labs.
What makes this surge of activity especially alarming is that some of the affected devices were fully patched and up to date, suggesting attackers may be exploiting a previously unknown vulnerability—commonly referred to as a zero-day. However, Arctic Wolf Labs has not ruled out the possibility of credential-based compromises, such as stolen or brute-forced passwords.
The first signs of the latest attack wave were detected on July 15, 2025, though Arctic Wolf reports that similar VPN-related intrusions date back to October 2024. This suggests that the Akira group has likely been testing and refining its attack method for months, slowly ramping up activity over time.
Once attackers gain initial access, they appear to act quickly. “A short interval was observed between initial SSL VPN account access and ransomware encryption,” Arctic Wolf stated. Unlike typical VPN usage from residential internet providers, the threat actors are leveraging Virtual Private Server (VPS) infrastructure to authenticate VPN logins from compromised environments—making their activity harder to distinguish from legitimate users.
At the time of writing, SonicWall has not publicly acknowledged the reported intrusions or provided technical details on whether a security flaw exists. The company has also not issued a patch or advisory regarding the matter.
This lack of confirmation puts organizations that rely on SonicWall devices in a difficult position. Without clarity on whether a zero-day vulnerability exists, many security teams are forced to rely on best practices and risk-mitigation strategies.
Given the potential for an unpatched vulnerability, cybersecurity experts recommend temporarily disabling SonicWall SSL VPN services if possible until more information or a patch is released.
Additional security measures include:
Enabling Multi-Factor Authentication (MFA): This makes it harder for attackers to exploit stolen credentials.
Removing Inactive or Unused VPN Accounts: Old or forgotten accounts can be a hidden weakness.
Improving Password Hygiene: Enforce strong password policies and mandate periodic password updates.
Monitoring VPN Activity Logs: Look out for VPN connections from unusual IP addresses or geolocations, particularly from VPS providers.
Akira ransomware has been active since March 2023 and has become one of the most aggressive and persistent cybercrime groups in the ransomware landscape. As of early 2024, they are believed to have extorted approximately $42 million from more than 250 victims.
Recent data from Check Point shows Akira was the second most active ransomware group in Q2 2025, trailing only Qilin. The group reportedly claimed 143 victims during that quarter alone.
Interestingly, Akira seems to have a geographic preference. “Akira ransomware maintains a special focus on Italy, with 10% of its victims from Italian companies compared to 3% in the general ecosystem,” Check Point noted. This regional targeting could indicate either a strategic focus or language-based operational advantage.
The Akira ransomware campaign exploiting SonicWall SSL VPNs highlights the growing sophistication of ransomware actors and the risks posed by both known and unknown vulnerabilities in widely-used enterprise devices.
Until further clarity is provided by SonicWall or a fix is released, organizations are strongly urged to tighten their remote access controls, enhance monitoring, and apply every layer of defense available.
This incident serves as a reminder that even fully-patched systems are not immune to compromise, especially in a threat landscape where zero-day vulnerabilities are increasingly being used by ransomware groups.
Interesting Article : Microsoft 365 Users Targeted by Fake OAuth Apps Using Tycoon Phishing Kit
Pingback: Google Patches Actively Exploited Qualcomm Bugs in August Android Update