Blog

Critical Alert: Akira Ransomware Surge Targets SonicWall Firewalls

sonicwall

Overview

Since mid‑July 2025, there has been a marked increase in Akira ransomware attacks exploiting SonicWall SSL VPN connections. Multiple security research teams, including Arctic Wolf Labs, have observed active exploitation, with incidents frequently tied to devices running unpatched versions of SonicOS.

What’s Happening

  • Initial vector: Many intrusions begin through unauthorized access to SonicWall SSL VPN accounts, often using locally stored credentials rather than centralized authentication. In nearly every case observed, Multi‑Factor Authentication (MFA) was disabled.

  • Rapid escalation: Once connected, threat actors often move quickly from VPN access to system encryption and data exfiltration within hours.

  • Potential root cause: Evidence suggests exploitation of a SonicWall zero‑day vulnerability (CVE‑2024‑40766), an improper access control flaw in SonicOS affecting Gen 5, Gen 6, and early Gen 7 devices (up to version 7.0.1‑5035). Credential‑based attacks such as brute force have also been noted as possible vectors.

  • Vendor response: SonicWall released patches for CVE‑2024‑40766 in August 2024, later expanding its advisory in September to emphasize SSL VPN exposure. The vulnerability carries a CVSS score of 9.3.

Why It Matters

  • Scope of exposure: Hundreds of thousands of devices across multiple SonicWall generations have been affected, with many still running vulnerable firmware into 2025.

  • High‑value targets: Akira ransomware has been active since March 2023, impacting more than 250 organizations and netting over $42 million in ransom payments as of April 2024.

  • Short attack window: In many tracked cases, attackers moved from initial access to encryption in less than a day, leaving minimal time for detection and containment.

Key Recommendations

Patch Immediately

Update to the latest SonicOS firmware. Ensure no devices are running:

  • Gen 5: SonicOS 5.9.2.14‑12o or older

  • Gen 6: SonicOS 6.5.4.14‑109n or older

  • Gen 7: SonicOS 7.0.1‑5035 or older

Harden SSL VPN Access

  • Disable SSL VPN access if not required.

  • Require MFA for all SSL VPN accounts.

  • Reset passwords for all locally managed accounts.

  • Restrict firewall management to trusted IP ranges.

Improve Visibility

  • Monitor VPN login logs for unusual geolocations or hosting IP addresses.

  • Integrate firewall logs with SIEM platforms to correlate VPN events with endpoint activity.

  • Consider geo‑blocking high‑risk regions.

Validate Incident Response & Recovery

  • Maintain regular offline backups of critical systems.

  • Test restore processes frequently.

  • Conduct ransomware‑specific tabletop exercises.

Bottom Line

The Akira ransomware surge targeting SonicWall devices is a reminder that remote‑access infrastructure is a high‑value attack vector. Patching, enforcing MFA, hardening access controls, and maintaining strong monitoring capabilities are essential steps to reducing risk.