A new wave of ransomware attacks are targeting SonicWall SSL VPN device vulnerabilities – even those which are fully patched – leaving businesses at risk.
Understanding Akira’s Latest Surge in Activity
Since mid-July 2025, it’s become apparent that a major cybersecurity concern has been rearing its ugly head. And it’s a concern which affects any organizations with an IT infrastructure, so that’s everyone reading this article.
Security researchers from Arctic Wolf have identified a surge in attacks which appear to involve Akira, a strain of ransomware typically offered as ransomware-as-a-service. For a cyberattack, it sounds relatively normal, but this time there’s a twist. Akira isn’t just hitting outdated, unpatched systems. Instead, SonicWall VPN devices, which are fully patched and configured, are being exploited.
Inside the Breach: How Akira Silently Exploited IT Systems
The threat actors gain access through SonicWall’s remote access system (SSL VPN) in order to start their attack. Once they’ve bypassed any cyber defenses, they unleash Akira and it instantly gets to work encrypting critical data. Akira moves quickly once it’s established itself on a system, so this means that vast quantities of data can be compromised in a very short space of time. As well as putting you and your customers’ data at risk, it also threatens to disrupt your business operations and productivity.
Arctic Wolf first noticed suspicious activity on July 15, 2025. The common factor in this activity was VPN access through SonicWall devices which was often followed, within hours, by ransomware infections. In most instances, Akira was installed on affected infrastructures, but there have also been several cases where the Fog ransomware variant was involved.
The surprising element in this attack is that many of the companies affected had put the correct defenses in place. Their firmware was up to date, default passwords had been changed, and their configuration settings were all correct. This has left Arctic Wolf speculating as to how Akira managed to establish a foothold in the breached systems. The most likely explanation is that the threat actors launching this attack have identified a zero-day vulnerability.
Arctic Wolf also revealed another interesting aspect about the attack: it appeared that virtual private servers were being used to log into the networks. Usually, access would be made through genuine VPN connections from ISPs. Why would the attackers be taking this unusual step? Well, the simple answer is that covers their tracks more effectively and makes them harder to trace.
Preventing Entry to Akira
Tools such as SonicWall SSL VPN are essential for businesses to facilitate remote access for employees and IT technicians. Therefore, it’s paramount that these are protected to ensure the smooth running of your IT operations. To strengthen your defenses against attacks, make sure you implement the following:
- Limit or Disable VPN Exposure: If you don’t need your remote access tools open to the internet, turn them off. If remote access is essential, make sure you restrict it to specific IP addresses which are trusted.
- Use Multi-Factor Authentication: If you want to enhance the security of your VPN, you should enable multi-factor authentication for anyone wanting to access it. By regularly reviewing accounts, removing old ones, and requesting password changes, you can stay one step ahead of any attackers.
- Monitor Unusual Activity: Any unfamiliar logins to your VPN should always be scrutinized closely and quickly. Ensure that a monitoring system is in place which can record, deny, and report any unusual logins.
For more ways to secure and optimize your business technology, contact your local IT professionals.
