A recent wave of Akira ransomware attacks targets SonicWall firewall devices, exploiting a previously identified flaw. Since July, there have been multiple reports of ransomware intrusions leveraging unauthorized access to SonicWall SSLVPN connections. Arete has observed that in the majority of engagements attributed to Akira in July and August, the victim organization used SonicWall devices. Following the recent spike in Akira ransomware attacks, SonicWall released an update stating that the attacks were not related to any new zero-day vulnerability, but instead are correlated with CVE-2024-40766, an older SonicWall VPN access control flaw that was first detected in August 2024.
In line with similar attacks discovered since at least October 2024, attackers swiftly switched from initial network access via SSLVPN accounts to data encryption during this spike in ransomware activity, suggesting a persistent campaign aimed at SonicWall devices.
Akira Activity in 2025
Akira frequently exploits vulnerabilities and targets unsecured VPNs and firewalls, taking advantage of gaps in a target’s infrastructure. Akira’s affinity towards SonicWall is nothing new, as the group has repeatedly found success exploiting vulnerabilities in SonicWall products in the past.
Akira was the most active threat group observed by Arete in 2024 and started 2025 as the top threat in January and February after successfully targeting another critical SonicWall VPN access control flaw (CVE-2024-40766) that multiple other threat groups also exploited.
Following a short hiatus in the middle of 2025, possibly due to the group staging for new attacks, Akira returned to its typical high monthly activity levels. In the past few months, the group has dominated the threat landscape, responsible for over 36% of all ransomware and extortion activity seen by Arete in July and already accounting for over half of Arete’s new engagements in August.
Analyst Comments
Akira remains a mainstay of the cyber ecosystem in 2025 and will likely remain one of the most active ransomware threats this year. Given the group’s past and present focus on vulnerable SonicWall products, it is especially important for users to be aware of this potential threat. Organizations are advised to review SonicWall firewalls with SSLVPN enabled for unauthorized logins, examine device settings, evaluate all configurations as possibly compromised, and carry out the necessary recovery procedures. SonicWall also advises users to disable SSLVPN whenever feasible, limit access to trusted IPs, activate security services like Botnet Protection and Geo-IP Filtering, enforce multi-factor authentication (although this may not completely stop the threat), delete unused accounts, particularly those with SSLVPN access, and use strong passwords. Protecting publicly accessible management interfaces is a fundamental security best practice.
Sources
Related Resources
![]()
Major Password Managers Vulnerable to Unpatched Clickjacking Flaws
Security researchers reveal unpatched clickjacking vulnerabilities in popular password managers, exposing sensitive data. Users are advised to disable autofill.
Read more![]()
US Sanctions Grinex Crypto Exchange
The US Treasury sanctioned Grinex, a crypto exchange built by Garantex insiders to evade sanctions and launder illicit funds, marking a major step in disrupting ransomware financing.
Read more![]()
Multiple Threat Groups Using New EDRKillShifter Builds
Multiple ransomware groups now use updated EDRKillShifter builds to disable EDR protections via BYOVD and HeartCrypt, targeting major security platforms.
Read more
