Thought Leadership
Cybersecurity experts are sounding the alarm. The Akira ransomware is apparently once again exploiting vulnerabilities in SonicWall SSL VPNs to gain access to networks. Even patched systems and MFA do not currently offer reliable protection.
Attack via the vulnerability: SonicWall targeted
At the end of July 2025, the Arctic Wolf security team observed a significant increase in targeted ransomware activity. The attacks began with so-called “pre-ransomware” intrusions. These are early accesses to networks that are later used for blackmail attempts. In several cases, the SSL VPN function of SonicWall firewall devices served as the entry point.
Worryingly, even fully updated systems with modified access data were compromised. Even activated multi-factor authentication could not always stop the attackers. This indicates a previously unknown security vulnerability that is not closed by regular updates.
Hands-on hacking: no coincidence, but precision
The group behind the Akira ransomware does not rely on automated malware, but on targeted manual interventions. Such hands-on keyboard attacks are particularly difficult to detect and are carried out by skilled cyber criminals. The aim is to penetrate the system quickly and cause damage before countermeasures take effect.
Similar incidents were documented as early as 2024. At that time, attackers exploited a security vulnerability known as CVE-2024-40766, which also affected SonicWall VPNs. Current developments indicate that the group’s tactics have evolved.
Vulnerabilities at the network border as a new main target
The latest findings confirm a prediction made by Arctic Wolf last year. Back then, it warned that security vulnerabilities in devices at the edge of the network – such as firewalls and VPN access – could be increasingly exploited. This prediction has come true.
Ransomware groups are increasingly relying on mass automated scans for known vulnerabilities. If initial access is successful, this is often followed by precise manual attacks. Companies of all sizes are affected, as the perpetrators act opportunistically and strike wherever a weakness becomes apparent.
Conclusion: Akira ransomware remains a serious threat
The Akira ransomware is back and is once again exploiting vulnerabilities in VPN systems for its attacks. Anyone using SonicWall devices should be particularly vigilant now. Simply installing updates is no longer enough – the danger can only be contained through active monitoring and comprehensive security strategies.
You can find more information on this topic here in the Arctic Wolf blog.
(vp/Arctic Wolf)
