In late July 2025, a significant surge in cyberattacks attributed to the Akira ransomware group was observed, with a clear focus on compromising corporate networks through SonicWall Secure Sockets Layer (SSL) Virtual Private Network (VPN) appliances. According to a report from Arctic Wolf Labs, this new campaign involves rapid intrusions following initial VPN access. The cybersecurity firm noted that the uptick in malicious activity involving these specific devices was first registered around July 15, 2025, though evidence suggests that similar tactics targeting SonicWall VPNs may have been employed by threat actors as far back as October 2024.
The methodology of the attacks points towards a sophisticated and swift operation.
Researchers highlighted a notably short interval between the moment an attacker gained initial access to a network via an SSL VPN account and the subsequent deployment of ransomware to encrypt files. A key indicator of malicious activity, as opposed to legitimate use, is the origin of the VPN connections. While typical employees log in from networks provided by common broadband internet service providers, these intrusions were observed originating from Virtual Private Server (VPS) hosting environments, a common tactic used by ransomware groups to obscure their location and activities.
The most critical concern arising from these incidents is the strong possibility that Akira is exploiting a previously unknown, or “zero-day,” vulnerability in the SonicWall products.
This suspicion is fueled by evidence that some of the compromised organizations were running fully-patched SonicWall devices, which should theoretically be protected against known exploits. While a zero-day exploit is the leading theory, experts have not yet dismissed the possibility that attackers gained access through credential-based methods, such as using stolen or weak passwords. At the time of the report, SonicWall had not yet issued a response or provided further details on the matter.
In response to this active threat, security professionals have issued urgent recommendations for organizations utilizing the affected technology. The primary mitigation strategy, given the potential for a zero-day exploit, is to disable the SonicWall SSL VPN service entirely until an official patch is developed and deployed. Beyond this immediate step, organizations are strongly advised to implement or reinforce standard cybersecurity best practices, including enforcing multi-factor authentication (MFA) on all remote access accounts, deleting any unused or inactive user accounts on the firewall, and adhering to strict password hygiene policies.
The Akira ransomware gang, which first appeared in March 2023, has rapidly grown into a formidable threat in the cybercrime landscape. By early 2024, the group was estimated to have extorted approximately $42 million from over 250 victim organizations. Recent statistics from Check Point for the second quarter of 2025 positioned Akira as the second most active ransomware group, just behind Qilin, having claimed 143 victims in that period. The group also demonstrates a notable geographic preference, with 10% of its victims being Italian companies, a significantly higher proportion compared to the general ransomware ecosystem.
Reference:
