Threat Spotlight: Akira Ransomware's SonicWall Campaign Creates Enterprise M&A Risk
Summary:
The Akira ransomware group has been actively exploiting SonicWall SSL VPNs to infiltrate newly acquired small-to medium-sized business environments during mergers and acquisitions (M&A). Between June and October 2025, security firm ReliaQuest examined a series of Akira attacks, uncovering an unsettling trend.
“In every incident, Akira operators gained a foothold in larger, acquiring enterprises by compromising SonicWall devices inherited from smaller, acquired business during M&A. In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed,” note researchers in their new blog post.
SonicWall SSL VPN devices are widely used by small- and medium-sized businesses due to their affordability and ease of use. However, the widespread adoption of such devices has enabled them to be used as a launch pad for ransomware attacks. ReliaQuest highlights several weaknesses in SonicWall devices that are frequently exploited by actors like Akira:
In incidents observed by Reliaquest, Akira actors gained access to sensitive systems via legacy admin credentials and navigated to a domain controller in an average of 9.3 hours, with some incidents clocking in less than 5 hours. Researchers note this was possible due to admin accounts inherited during the M&A process being unchecked. In this case, the account credentials were often unknown to the acquiring company, causing them to be left unmonitored and unrotated post-acquisition. By compromising these accounts, the actors were able to quickly move deeper into the network before defenders could respond.
Suggested Corrections:
https://reliaquest.com/blog/threat-...onicwall-campaign-creates-enterprise-m&a-risk
The Akira ransomware group has been actively exploiting SonicWall SSL VPNs to infiltrate newly acquired small-to medium-sized business environments during mergers and acquisitions (M&A). Between June and October 2025, security firm ReliaQuest examined a series of Akira attacks, uncovering an unsettling trend.
“In every incident, Akira operators gained a foothold in larger, acquiring enterprises by compromising SonicWall devices inherited from smaller, acquired business during M&A. In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed,” note researchers in their new blog post.
SonicWall SSL VPN devices are widely used by small- and medium-sized businesses due to their affordability and ease of use. However, the widespread adoption of such devices has enabled them to be used as a launch pad for ransomware attacks. ReliaQuest highlights several weaknesses in SonicWall devices that are frequently exploited by actors like Akira:
- Default or Unchanged Configurations: SonicWall devices are frequently deployed with default passwords, legacy privileged accounts, or outdated settings. If these are overlooked during integration, they become an easy way in for attackers.
- Unpatched Vulnerabilities: Many organizations add SonicWall appliances to their network without regular patching or security reviews, leaving known vulnerabilities exposed for exploitation.
- Untracked or Unmanaged Devices: In the rush of M&A activity, devices can sometimes be left out of inventories or monitoring processes. This allows attackers to use these devices as hidden entry points to move from acquired businesses into the larger organizations undetected.
In incidents observed by Reliaquest, Akira actors gained access to sensitive systems via legacy admin credentials and navigated to a domain controller in an average of 9.3 hours, with some incidents clocking in less than 5 hours. Researchers note this was possible due to admin accounts inherited during the M&A process being unchecked. In this case, the account credentials were often unknown to the acquiring company, causing them to be left unmonitored and unrotated post-acquisition. By compromising these accounts, the actors were able to quickly move deeper into the network before defenders could respond.
Suggested Corrections:
- Prioritize SonicWall Patch Management and Configuration Audits: Akira ransomware rapidly exploits SonicWall devices with unpatched vulnerabilities or default configurations to gain initial access, especially in smaller businesses’ environments post-M&A. Establish a continuous patch management program for all remote access appliances and conduct regular configuration reviews to eliminate default credentials and insecure settings. This proactive approach removes Akira’s preferred entry points and minimizes the risk of high-speed compromise.
- Implement Rigorous Credential Hygiene and Access Controls: Akira thrives on weak, stale, or excessive credentials inherited during M&A. Enforce strong password policies, mandate multifactor authentication (MFA) for all remote and privileged accounts and routinely audit for unused or risky credentials. These controls disrupt Akira’s ability to escalate privileges and move laterally through newly integrated environments.
- Continuously Discover and Monitor Inherited Assets: Shadow IT and unmanaged endpoints, common in acquired businesses during M&A, create blind spots for Akira to exploit. Deploy automated asset discovery tools and establish continuous monitoring to identify all network-connected devices, especially those overlooked during integration. Proactive visibility prevents Akira from exploiting unknown systems and exfiltrating data at speed.
https://reliaquest.com/blog/threat-...onicwall-campaign-creates-enterprise-m&a-risk