SonicWall SSL VPN devices have been subject to Akira ransomware attacks as part of a new surge in activity observed in late July 2025.
“The reviewed intrusions have observed multiple ransomware intrusions in a short period of time, each including VPN access via Sonicwall SSL VPN,” said Julian Tuin, a researcher at Arctic Wolf Labs, in a report.
Cybersecurity companies have suggested that the attack could be exploiting the still-determined security flaws in the appliance. However, the possibility of qualification-based attacks for early access is not ruled out.
The rise in attacks, including SonicWall SSL VPNs, was first registered on July 15, 2025, but Arctic Wolf has been observing similar malicious VPN logins until October 2024, suggesting sustained efforts to target devices.
“A short interval was observed between initial SSL VPN account access and ransomware encryption,” he said. “In contrast to legitimate VPN logins, typically derived from networks run by broadband internet service providers, ransomware groups use virtual private server hosting for VPN authentication in compromised environments.”
For more information about the activity, the query sent to SonicWall did not elicit a response until the publication of this article. As a mitigation, organizations are encouraged to consider disabling the Sonicwall SSL VPN service until patches are available and deployed, taking into account the potential zero-day vulnerabilities.
Other best practices include implementing Multifactor Authentication (MFA) for Remote Access, deleting inactive or unused local firewall user accounts, and password hygiene.
In early 2024, the Akira Ransomware actor is estimated to have forced him to earn around $42 million in illegal income after targeting more than 250 victims. It first appeared in March 2023.
Statistics shared by Checkpoint show that Akira was the second most active group after Qilin in the second quarter of 2025, claiming 143 casualties during the period.
“Achira ransomware maintains a special focus on Italy, with 10% of victims of Italian companies comparing it to 3% of the general ecosystem,” the cybersecurity company said.
Source link
