CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

SonicWall VPNs Targeted in Akira Ransomware Surge Using Suspected Zero-Day Exploits

By Leave a Comment
LinkedInReddit
SonicWall VPNs Targeted in Akira Ransomware Surge Using Suspected Zero-Day Exploits

Organizations using SonicWall firewalls are facing a surge in ransomware attacks tied to the Akira malware, with Arctic Wolf Labs reporting a sharp uptick in activity throughout July 2025.

Most incidents began with compromised SonicWall SSL VPN access — often through locally managed accounts — allowing attackers to breach networks without evidence of direct remote code execution. Alarmingly, some fully patched devices and accounts protected by multi-factor authentication (MFA) were still compromised, suggesting a potential zero‑day in SonicWall’s software.

Rapid Encryption and Potential Exploits

Arctic Wolf observed that in many cases, ransomware encryption occurred within hours of VPN login, frequently on the same day. With VPN logins originating from Virtual Private Server (VPS) IP addresses, defenders should closely monitor unusual source IP addresses and hosting networks.

Malicious activity began around July 15, 2025, though similar patterns have been visible since October 2024, indicating a sustained effort to target edge devices. Akira ransomware was deployed in roughly 75% of observed intrusions, with the remainder using Fog ransomware variants.

Why It Matters

This wave underscores the growing risk posed by vulnerabilities in VPN infrastructure, even when software is fully patched. The speed of escalation leaves security teams little time to respond, and compromised VPN access can undermine internal defenses quickly.

Arctic Wolf and other analysts suggest organizations take the following steps:

  • Consider disabling SonicWall SSL VPN if not essential
  • Enforce MFA and remove unused local firewall accounts
  • Rotate passwords and restrict access to trusted IP ranges
  • Monitor VPN access logs, especially for connections from hosting-provider IPs
  • Ensure firmware is updated to the latest version and apply vendor-recommended configuration best practices.

The July 2025 spike in Akira ransomware activity highlights weaknesses in remote-access infrastructure. Given the likelihood of an undisclosed SonicWall vulnerability and the sophisticated tactics used, organizations should urgently review VPN usage, strengthen access controls, and bolster logging to detect pre-attack activity before damage occurs.

If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.

More from CyberInsider

About Bill Mann

Bill specializes in explaining complex technical topics to a non-technical audience. In his 30+ year career, he has covered many of the technological advances that shape our lives. Today, Bill uses those skills to help people protect their privacy and security against the ever-growing assaults on both.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Share to...
BlueskyBufferCopyFlipboardHacker NewsLineLinkedInMastodonMessengerMixNextdoorPinterestPocketPrintRedditSMSTelegramThreadsTumblrVKWhatsAppXingYummly