Akira Ransomware Exploits SonicWall SSL VPNs: What You Need to Know

Listen to this Post

Featured Image

Rising Threat Across SonicWall Devices

Since July 2025, the Akira ransomware group has been exploiting SonicWall SSL VPNs, gaining access to networks by leveraging credentials believed to be harvested during the CVE-2024-40766 vulnerability window. This flaw allowed attackers to bypass OTP multi-factor authentication, opening the door to swift and devastating intrusions across multiple sectors. The campaign has been active since July 21, 2025, targeting SonicWall NSA and TZ series devices running SonicOS versions 6 through 8, including the newest 7.3.0 builds.

Even though SonicWall rolled out patches designed to mitigate brute-force and MFA bypass attempts, the attacks have not stopped. Researchers argue that credentials stolen earlier are still valid even after firmware updates, keeping organizations vulnerable. The cybersecurity firm Arctic Wolf noted that despite applying recommended mitigations, attackers consistently bypass MFA, highlighting a serious gap in current defenses.

Attack Vectors and Early Signs of Compromise

The attackers’ entry point is SSL VPN access, but unlike typical logins from broadband or SD-WAN users, these malicious connections frequently originate from VPS providers and privacy VPNs. This makes it harder for defenders to distinguish legitimate access from hostile activity. Local and LDAP-synced accounts, including Active Directory accounts not configured for VPN use, have all been targeted.

Over half of the observed attacks successfully authenticated through OTP MFA accounts, raising questions about whether OTP seeds were stolen or whether a deeper bypass method is being used. In some cases, attackers demonstrated automated login attempts across multiple accounts, suggesting scripted operations, although most incidents involved just one or two accounts.

Rapid Post-Login Activity and Network Reconnaissance

Once inside, attackers wasted no time. Within five minutes of gaining access, they scanned internal networks using tools such as SoftPerfect and Advanced IP Scanner, probing ports like RPC, NetBIOS, SMB, and SQL. They then shifted to lateral movement with Impacket (WMIExec, SMB sessions), Remote Desktop Protocol (RDP), and advanced Active Directory reconnaissance tools including nltest, BloodHound, SharpShares, and ldapdomaindump.

Files and reconnaissance data were stored locally in ProgramData or Temp folders, sometimes even opened in Notepad for manual review. Threat actors also focused on virtual machine storage and backup systems, attempting to capture sensitive data and administrator credentials.

Credential Theft and Persistence Tactics

A key technique observed was the extraction of Veeam 11/12 credentials using sqlcmd and a custom PowerShell tool that decrypted database secrets. Attackers created new administrative accounts under names like sqlbackup or veean, added themselves to high-level groups such as “ESX Admins,” and installed remote management tools like AnyDesk, TeamViewer, and RustDesk.

For persistence, they leveraged SSH reverse tunnels and Cloudflare Tunnel, installing cloudflared as a service. In some cases, OpenSSH was opened to all network interfaces (0.0.0.0). Scripts using Invoke-WebRequest and Start-BitsTransfer were also deployed to automate reinstallation if defenses kicked in.

Defense Evasion and Data Exfiltration

The attackers deployed a mix of defense evasion techniques, including disabling remote monitoring tools, deleting Volume Shadow Copies, turning off User Account Control (UAC), and attempting to neutralize antivirus or EDR solutions. A Bring-Your-Own-Vulnerable-Driver (BYOVD) trick was used, disguising malicious files as legitimate EDR software by repackaging Microsoft’s consent.exe.

Data exfiltration was equally sophisticated. They installed WinRAR on domain controllers and servers to package stolen files, then used rclone or FileZilla (fzsftp.exe) to transfer them via SFTP/SSH to external VPS infrastructure.

Encryption Timeline and Final Blow

Finally, ransomware payloads such as akira/locker/w.exe were deployed in strategic directories like ProgramData and custom folders such as C:\lock. Depending on the environment, encryption was completed within four hours, but in some cases, the damage was inflicted in as little as 55 minutes from initial login.

Recommended Mitigation

Experts strongly recommend that all SSL VPN credentials on SonicWall devices previously exposed to CVE-2024-40766 be reset. Additionally, Active Directory accounts tied to SSL VPN access or LDAP synchronization must be rotated. Without these measures, patched devices remain at risk, as attackers are leveraging old but still-valid credentials to break in.

What Undercode Say:

The Akira ransomware campaign targeting SonicWall devices highlights a fundamental truth in cybersecurity: patching alone is not enough when credentials are already in enemy hands. The persistence of these attacks, even against updated firmware, confirms that credential hygiene and MFA seed protection are the weakest links in enterprise defenses today.

A critical issue here is the reliance on MFA as a “safety net.” OTP-based MFA has been marketed as highly secure, yet the attackers’ success rate against OTP accounts suggests that seeds were stolen or cloned during earlier compromises. If OTP codes can be replicated, organizations face a systemic risk because every user’s account remains vulnerable, even if firmware and software are kept up to date.

Equally concerning is the attackers’ speed. Within minutes of gaining VPN access, they pivot across the network with scanning tools, lateral movement frameworks, and Active Directory enumeration. This speed drastically reduces the detection window, forcing defenders to operate under tighter constraints than ever before. Organizations that still rely on periodic log reviews or signature-based IDS tools are effectively blind against this tempo of attack.

The systematic use of reconnaissance tools like BloodHound and SharpShares points to attackers not just aiming for ransomware deployment but also conducting long-term domain mapping for privilege escalation. This suggests the campaigns are not random smash-and-grab operations, but carefully orchestrated strategies to maximize damage and ensure ransom leverage.

The focus on Veeam backups underscores another recurring theme in ransomware: attackers target recovery points first. By stealing backup credentials and manipulating database configurations, they ensure that victims cannot easily restore their systems, forcing payment. This “backup-first” tactic has now become a playbook standard for modern ransomware groups.

Persistence mechanisms such as Cloudflare Tunnels and SSH reverse connections show that Akira is adopting enterprise-grade stealth strategies. By embedding themselves into legitimate remote access tools, they camouflage malicious traffic as normal IT activity, complicating detection further.

Defense evasion through BYOVD techniques adds another layer of sophistication. By disguising malicious files as Microsoft utilities or EDR binaries, attackers exploit defenders’ trust in system files. This blurs the line between legitimate processes and malicious payloads, leaving traditional antivirus ineffective.

Another striking observation is the use of multiple exfiltration methods: WinRAR, rclone, and FileZilla. This redundancy ensures that even if one method is blocked, others succeed. It is a hallmark of resilience planning within attacker operations.

The rapid deployment of ransomware payloads—sometimes within an hour—underscores the operational maturity of the group. Many ransomware campaigns still maintain dwell times of days or weeks; Akira demonstrates that efficiency is now weaponized. This agility forces organizations to adopt real-time monitoring and automated response if they wish to stand a chance at stopping encryption before it’s too late.

Ultimately, the recommended mitigation of resetting all VPN and AD credentials affected by CVE-2024-40766 is both necessary and urgent. Without it, organizations are patching the walls while leaving the front door wide open. Credential compromise remains the invisible threat that software updates cannot fix.

The broader lesson from Akira’s campaign is that security cannot rest on patches and MFA alone. Enterprises must integrate credential lifecycle management, hardware-based MFA, behavioral analytics, and zero-trust principles to withstand attacks of this caliber. Anything less is an open invitation for repeat breaches.

Fact Checker Results

✅ Akira ransomware is confirmed to be actively exploiting SonicWall SSL VPNs.
✅ Evidence shows attackers bypass OTP MFA, though the exact method is still debated.
❌ Patching alone is not a full defense; stolen credentials remain valid across firmware upgrades.

Prediction

Akira’s campaign will likely inspire copycat groups to adopt similar credential-based intrusion methods. Organizations relying solely on VPNs and OTP MFA will continue to face elevated risks. In the next year, expect MFA bypasses and credential replay attacks to dominate ransomware entry vectors, forcing a paradigm shift toward phishing-resistant authentication and zero-trust adoption.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon