Akira Ransomware Strikes Again: SonicWall Devices Under Fire

Listen to this Post

Featured Image

Introduction

The world of cybersecurity is once again on high alert as the Akira ransomware gang resurfaces with renewed aggression. This time, their primary target has been SonicWall devices, a popular choice for secure remote access among enterprises worldwide. Over the past month, experts have reported a spike in attacks exploiting both known vulnerabilities and misconfigurations. With Akira rapidly climbing the ranks of the most active ransomware groups in 2025, organizations must urgently review their defenses before becoming the next victim.

the Attack

Cybersecurity firm Rapid7 confirmed that Akira ransomware operators are leveraging SonicWall firewalls as a gateway into corporate networks. The attacks intensified after late July 2025, coinciding with Akira’s return to the spotlight.

The vulnerability at the heart of these attacks is CVE-2024-40766, a year-old flaw with a critical CVSS score of 9.3. It arises when local user passwords are carried over during system migration without being reset, leaving accounts open to brute-force attempts. SonicWall acknowledged the issue, urging administrators to activate Botnet Filtering, enable Account Lockout policies, and review LDAP SSL VPN Default User Groups — a major weak point if misconfigured.

The flaw in LDAP groups is particularly dangerous. If every authenticated LDAP user is automatically assigned to a default group with high-level access, any compromised account—whether legitimate or not—instantly inherits sensitive permissions. This effectively bypasses Active Directory’s intended security layers, giving attackers an open door to critical infrastructure.

Beyond brute-force attempts, attackers have also been observed exploiting the Virtual Office Portal in certain configurations. This allows them to configure MFA/TOTP with valid accounts if prior credentials are leaked, making persistence easier.

Security agencies worldwide, including the Australian Cyber Security Centre (ACSC), have issued warnings about Akira’s tactics. Since its launch in March 2023, Akira has victimized at least 967 organizations, with July 2025 alone seeing 40 confirmed attacks — making it the third most active ransomware group, behind Qilin and INC Ransom.

The ransomware group is especially aggressive toward manufacturing and transportation sectors, using phishing, SEO poisoning, and malware loaders like Bumblebee. Once inside, attackers deploy AdaptixC2 for post-exploitation, install RustDesk for remote access, steal sensitive files, and finally execute hypervisor-level ransomware encryption.

AdaptixC2, being open-source and modular, gives attackers flexible tools to execute commands, exfiltrate files, and manipulate infected systems. Recent campaigns have even tricked employees through fake Microsoft Teams help desk calls, convincing them to grant remote access.

Ultimately, Akira follows a predictable yet highly effective playbook:

1. Breach via SSL VPN or brute-force attack.

2. Escalate privileges.

3. Move laterally to file servers.

4. Disable backups.

5. Deploy ransomware encryption.

With their evolving techniques and persistence, Akira continues to be one of the most feared names in cybercrime.

What Undercode Say:

Akira’s latest offensive reveals a triple-layered strategy: exploiting unpatched vulnerabilities, abusing misconfigurations, and manipulating human error. This mix makes the group particularly dangerous because even well-patched systems can still fall victim if configurations are sloppy or employees are tricked.

From an analytical standpoint, SonicWall’s role in this is both technical and psychological. Businesses trust VPN appliances as their “digital front doors.” When that door is compromised, attackers don’t just steal files — they compromise confidence in secure access technologies.

Another major takeaway is how ransomware gangs are evolving beyond encryption. Modern attackers like Akira focus equally on data exfiltration, persistence, and stealth tactics. The inclusion of SEO poisoning, fake IT calls, and open-source post-exploitation tools shows they’re not just script kiddies but well-coordinated cyber mercenaries.

This also exposes a disturbing truth: many organizations still underestimate misconfigurations. An outdated LDAP setting or a forgotten inactive account can provide the very foothold hackers need. In fact, small oversights are now as dangerous as unpatched CVEs.

Furthermore, Akira’s heavy targeting of manufacturing and transport is no accident. These industries cannot afford downtime — meaning ransom demands are more likely to be paid. It’s a strategic choice designed to maximize profits.

From a global perspective, the surge in Akira’s activity also reflects the professionalization of ransomware-as-a-service (RaaS) ecosystems. Tools like AdaptixC2 lower the barrier of entry for attackers, while tactics like SEO poisoning expand the victim pool. This means more cybercriminals can launch sophisticated attacks with minimal original development.

The larger implication for businesses is that defense must go beyond patching. Organizations need layered security with proactive monitoring, strict access controls, and continuous employee training. Simple defenses like password rotation, MFA enforcement, and removing inactive accounts may sound basic, but they often determine whether a ransomware attack succeeds or fails.

In conclusion, Akira’s campaign against SonicWall isn’t just a headline story—it’s a wake-up call. It highlights the weaknesses in modern security practices, the importance of human vigilance, and the rising dominance of ransomware groups that combine old vulnerabilities with new social engineering tricks.

✅ Fact Checker Results

The CVE-2024-40766 flaw exploited by Akira is real and rated critical.
Reports confirm Akira conducted 40+ attacks in July 2025, ranking it the third most active group globally.
SonicWall and cybersecurity firms officially confirmed the spike in related ransomware incidents.

🔮 Prediction

Looking ahead, Akira is likely to expand its playbook by automating credential harvesting and exploiting cloud services misconfigurations. With its proven success in manufacturing and transport, the group could next pivot to healthcare and financial institutions, industries equally vulnerable to downtime. Unless enterprises adopt zero-trust architectures and aggressively audit their VPN configurations, Akira’s reign as one of the most disruptive ransomware groups will only grow stronger.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon