
Organizations using SonicWall firewalls are facing a surge in ransomware attacks tied to the Akira malware, with Arctic Wolf Labs reporting a sharp uptick in activity throughout July 2025.
Most incidents began with compromised SonicWall SSL VPN access — often through locally managed accounts — allowing attackers to breach networks without evidence of direct remote code execution. Alarmingly, some fully patched devices and accounts protected by multi-factor authentication (MFA) were still compromised, suggesting a potential zero‑day in SonicWall’s software.
Rapid Encryption and Potential Exploits
Arctic Wolf observed that in many cases, ransomware encryption occurred within hours of VPN login, frequently on the same day. With VPN logins originating from Virtual Private Server (VPS) IP addresses, defenders should closely monitor unusual source IP addresses and hosting networks.
Malicious activity began around July 15, 2025, though similar patterns have been visible since October 2024, indicating a sustained effort to target edge devices. Akira ransomware was deployed in roughly 75% of observed intrusions, with the remainder using Fog ransomware variants.
Why It Matters
This wave underscores the growing risk posed by vulnerabilities in VPN infrastructure, even when software is fully patched. The speed of escalation leaves security teams little time to respond, and compromised VPN access can undermine internal defenses quickly.
Arctic Wolf and other analysts suggest organizations take the following steps:
- Consider disabling SonicWall SSL VPN if not essential
- Enforce MFA and remove unused local firewall accounts
- Rotate passwords and restrict access to trusted IP ranges
- Monitor VPN access logs, especially for connections from hosting-provider IPs
- Ensure firmware is updated to the latest version and apply vendor-recommended configuration best practices.
The July 2025 spike in Akira ransomware activity highlights weaknesses in remote-access infrastructure. Given the likelihood of an undisclosed SonicWall vulnerability and the sophisticated tactics used, organizations should urgently review VPN usage, strengthen access controls, and bolster logging to detect pre-attack activity before damage occurs.
Leave a Reply