A recent wave of Akira ransomware attacks targets SonicWall firewall devices, possibly exploiting a previously unidentified flaw. Since July, there have been multiple reports of ransomware intrusions leveraging unauthorized access to SonicWall SSLVPN connections. Arete has observed that in the majority of engagements attributed to Akira in July and August, the victim organization used SonicWall devices. Following this spike in Akira ransomware attacks against Gen 7 firewalls with SSLVPN enabled, SonicWall is exploring a potential new zero-day and is trying to identify whether these incidents were enabled by a recently discovered vulnerability or an existing flaw.
- The initial access techniques used in this campaign are not yet confirmed. Although a zero-day vulnerability is quite possible, access to credentials using dictionary attacks, brute force, or credential stuffing has not yet been completely ruled out.
- Aligned with similar attacks since at least October 2024, attackers swiftly switched from initial network access via SSLVPN accounts to data encryption during this spike in ransomware activity, suggesting a persistent campaign aimed at SonicWall devices.
Akira Activity in 2025
Akira frequently exploits vulnerabilities and targets unsecured VPNs and firewalls, taking advantage of gaps in a target’s infrastructure. Akira’s affinity towards SonicWall is nothing new, as the group has repeatedly found success exploiting vulnerabilities in SonicWall products in the past.
Akira was the most active threat group observed by Arete in 2024 and started 2025 as the top threat in January and February after successfully targeting another critical SonicWall VPN access control flaw (CVE-2024-40766) that multiple other threat groups also exploited.
Following a short hiatus in the middle of 2025, possibly due to the group staging for new attacks, Akira returned to its typical high monthly activity levels. In the past few months, the group has dominated the threat landscape, responsible for over 36% of all ransomware and extortion activity seen by Arete in July and already accounting for over half of Arete’s new engagements in August.
Analyst Comments
Akira remains a mainstay of the cyber ecosystem in 2025 and will likely remain one of the most active ransomware threats this year. Given the group’s past and present focus on vulnerable SonicWall products, it is especially important for users to be aware of this potential threat. Organizations are advised to review SonicWall firewalls with SSLVPN enabled for unauthorized logins, examine device settings, evaluate all configurations as possibly compromised, and carry out the necessary recovery procedures. SonicWall also advises users to disable SSLVPN whenever feasible, limit access to trusted IPs, activate security services like Botnet Protection and Geo-IP Filtering, enforce multi-factor authentication (although this may not completely stop the threat), delete unused accounts, particularly those with SSLVPN access, and use strong passwords. Protecting publicly accessible management interfaces is a fundamental security best practice.
Sources
Related Resources
![]()
Client Story: The Importance of External Penetration Testing
Brandon shares how Arete’s cybersecurity penetration testing helped protect his global team from threats, giving him peace of mind and expert support.
Read more![]()
Ransomware Trends & Data Insights: July 2025
Explore the July 2025 cyber threat landscape, where Akira led ransomware activity, Sinobi emerged, and SharePoint zero-days were exploited by multiple threat groups.
Read more![]()
Google Gemini Flaw Hijacks Email Summaries for Phishing
Google Gemini email summary flaw lets attackers hide malicious instructions in emails, leading users to phishing sites without clicking links.
Read more
