Article
Akira Targeting SonicWall Devices (Again)
Arete Analysis
Threat Actors
Cybersecurity Trends

A recent wave of Akira ransomware attacks targets SonicWall firewall devices, exploiting a previously identified flaw. Since July, there have been multiple reports of ransomware intrusions leveraging unauthorized access to SonicWall SSLVPN connections. Arete has observed that in the majority of engagements attributed to Akira in July and August, the victim organization used SonicWall devices. Following the recent spike in Akira ransomware attacks, SonicWall released an update stating that the attacks were not related to any new zero-day vulnerability, but instead are correlated with CVE-2024-40766, an older SonicWall VPN access control flaw that was first detected in August 2024.
In line with similar attacks discovered since at least October 2024, attackers swiftly switched from initial network access via SSLVPN accounts to data encryption during this spike in ransomware activity, suggesting a persistent campaign aimed at SonicWall devices.
Akira Activity in 2025
Akira frequently exploits vulnerabilities and targets unsecured VPNs and firewalls, taking advantage of gaps in a target’s infrastructure. Akira’s affinity towards SonicWall is nothing new, as the group has repeatedly found success exploiting vulnerabilities in SonicWall products in the past.
Akira was the most active threat group observed by Arete in 2024 and started 2025 as the top threat in January and February after successfully targeting another critical SonicWall VPN access control flaw (CVE-2024-40766) that multiple other threat groups also exploited.
Following a short hiatus in the middle of 2025, possibly due to the group staging for new attacks, Akira returned to its typical high monthly activity levels. In the past few months, the group has dominated the threat landscape, responsible for over 36% of all ransomware and extortion activity seen by Arete in July and already accounting for over half of Arete’s new engagements in August.
Analyst Comments
Akira remains a mainstay of the cyber ecosystem in 2025 and will likely remain one of the most active ransomware threats this year. Given the group’s past and present focus on vulnerable SonicWall products, it is especially important for users to be aware of this potential threat. Organizations are advised to review SonicWall firewalls with SSLVPN enabled for unauthorized logins, examine device settings, evaluate all configurations as possibly compromised, and carry out the necessary recovery procedures. SonicWall also advises users to disable SSLVPN whenever feasible, limit access to trusted IPs, activate security services like Botnet Protection and Geo-IP Filtering, enforce multi-factor authentication (although this may not completely stop the threat), delete unused accounts, particularly those with SSLVPN access, and use strong passwords. Protecting publicly accessible management interfaces is a fundamental security best practice.
Sources
Back to Blog Posts
Podcast
Digital Forensics Meets the Courtroom: Insights on Expert Witness and Cyber-Related Litigation
In this episode of Bytes of Insight, host Vinny Sakore and special guest Dr. Bruce Hartley, Managing Director and Co-Founder of Advisory Services at Arete, discuss the evolving role of digital forensics and expert witness work in cybersecurity litigation. Tune in for firsthand insights on how Arete conducts post-breach investigations, what it takes to undergo cross-examination on the stand, and how emerging threats like AI-driven social engineering and third-party breaches are reshaping the advisory landscape.
Article
Helix Extortion Group Debuts in SharePoint Data Theft Attacks
A newly identified data-extortion group, Helix, is reportedly conducting targeted campaigns by exploiting identity-based attack techniques to gain access to Microsoft 365 environments and exfiltrate data from SharePoint Online. The group leverages voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to compromise user accounts and establish unauthorized access.
Helix threat actors reportedly initiate intrusions through vishing campaigns, impersonating trusted individuals—often the target's manager—and leveraging caller ID spoofing to enhance credibility.
The actors then attempt to persuade victims to complete device code phishing workflows, enabling unauthorized access to corporate accounts and Microsoft 365 resources.
Following successful authentication, the actors conduct reconnaissance and enumeration of SharePoint environments before identifying and exfiltrating sensitive data for extortion purposes.
Helix's variable dwell times suggest a flexible, target-specific operational approach, enabling the group to adapt its intrusion timeline to victim environments to maximize data theft and extortion opportunities while minimizing the likelihood of detection. Helix's operations also appear to be focused on large-scale data theft and extortion, with an emphasis on automated SharePoint data exfiltration following successful credential or session compromise.
Overlaps with Other Extortion Groups
Researchers assess that Helix likely emerged from or has operational overlap with the ShinyHunters and BlackFile/Redact cybercriminal ecosystems. ShinyHunters historically focuses on compromising websites, developer repositories, and exposed credentials or API keys to gain access to corporate cloud environments, monetizing stolen victim data on the dark web. BlackFile utilizes identity-centric and social engineering–driven methods of intrusion, relying less on traditional malware and instead leveraging credential theft, privilege escalation, rapid data exfiltration, and coercive tactics such as swatting to maximize extortion pressure. In May 2026, BlackFile announced that it would be rebranding as “Redact” (which may have later rebranded again to “Pink”), yet despite the rebrands, threat actors operating within these groups continued to exhibit similar operational models, victimology, and extortion methodologies.
Analyst Comments
Collectively, the similarities between the groups suggest the possibility of a shared criminal ecosystem, affiliate network, or loosely connected threat cluster rather than entirely independent operations. The emergence of Helix further reflects the broader trend of extortion groups rebranding or fragmenting while retaining proven attack techniques and operational infrastructure to support their criminal activities. Despite suspicion of these groups’ connectivity, the exact nature of the relationship remains unconfirmed. As Helix focuses on identity-based attack techniques to gain access to Microsoft 365 environments, Arete recommends that organizations remain vigilant in using MFA, enforcing strong identity security controls, continuously monitoring authentication activity, and enhancing user awareness of social engineering tactics.
Sources
Helix, a New Name in the Data Extortion Ecosystem?
BlackFile actively extorting data-theft victims in retail and hospitality sector
"Pink" Data Extortion Group Hunting With Evasive Phishing Kits
Article
FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations.
What’s Notable and Unique
Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities.
Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group.
The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.
Mitigations
Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.
Analyst Comments
The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.
Sources
Is FortiBleed Linked to INC and Lynx Ransomware?
FortiBleed credential-theft campaign linked to Lynx ransomware
FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups
Article
Ransomware Trends & Data Insights: June 2026
Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026
Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:
In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.
In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.
Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.
Sources
Arete Internal



