Since July 2025, security firm Arctic Wolf has seen an increase in Akira ransomware activity targeting SonicWall firewall devices for initial access.  In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” state researchers in their new blog post.

The exact method of gaining initial access has not been clearly defined in the latest wave of attacks. In the past, threat actors have employed tactics such as brute force, dictionary attacks, and credential stuffing, taking advantage of compromised or weak credentials to target vulnerable VPN appliances. While the possibility of credential-based attacks for initial access has not been ruled out completely, researchers suggest that Akira ransomware actors could be likely exploiting a zero-day vulnerability, given that some of the incidents have compromised fully-patched SonicWall devices.

“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances,” state researchers.

Security Officer Comments:
According to Arctic Wolf, similar malicious VPN logins have been observed since at least October 2024. Researchers are still looking into the attack vector being employed in the latest Akira intrusions— we will update members once that information is readily available. Given the likelihood of a zero-day vulnerability being potentially exploited for initial access, administrators have been advised to disable the SonicWall SSL Service until a patch is made available to the public and deployed.

Suggested Corrections:
SonicWall recommends the following security best practices for hardening firewall security posture:

• Enable Security Services: Ensure services such as Botnet Protection are active. These services help detect threat actors known to target SSLVPN endpoints.
• Enforce Multi-Factor Authentication (MFA): MFA should be enabled for all remote access to reduce the risk of credential abuse.
• Remove Unused Accounts: Delete any inactive or unused local firewall user accounts, particularly those with SSLVPN access.
• Practice Good Password Hygiene: Encourage periodic password updates across all user accounts.

Link(s):
https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html

https://arcticwolf.com/resources/bl...somware-activity-targeting-sonicwall-ssl-vpn/