SonicWall firewalls targeted in rising Akira ransomware attacks

▼ Summary
– SonicWall firewall devices are being increasingly targeted by Akira ransomware attacks since late July, potentially exploiting an unknown vulnerability.
– Akira ransomware, active since March 2023, has affected over 300 organizations and collected $42 million in ransom payments from 250+ victims.
– Attackers may be exploiting a zero-day vulnerability or using credential-based methods like brute force to access SonicWall SSL VPN connections.
– Arctic Wolf advises administrators to disable SonicWall SSL VPN services and enhance security measures until patches are available.
– SonicWall recently warned customers to patch SMA 100 appliances against a critical vulnerability (CVE-2025-40599), though no active exploitation has been confirmed.
SonicWall firewalls have become prime targets in a recent wave of Akira ransomware attacks, with cybersecurity experts warning of potential exploitation of an undisclosed security flaw. The campaign, first detected in mid-July, has raised alarms across industries as threat actors leverage compromised network devices for widespread encryption and data theft.
Security firm Arctic Wolf has tracked multiple intrusions where attackers gained initial access through SonicWall SSL VPN connections, though the exact method remains under investigation. While evidence points toward a possible zero-day vulnerability, researchers haven’t discounted credential-based attacks like brute force or credential stuffing. Akira, active since early 2023, has already extorted over $42 million from more than 250 victims, including major corporations and academic institutions.
The ransomware group’s tactics follow a familiar pattern, breaching VPN accounts before swiftly moving to encrypt critical data. Notably, attackers have been routing authentication attempts through virtual private servers (VPS) rather than typical broadband providers, a red flag for defenders monitoring network traffic.
In response to the heightened risk, Arctic Wolf recommends organizations temporarily disable SonicWall SSL VPN services where possible. Additional precautions include enabling detailed logging, tightening endpoint monitoring, and blocking VPN logins from hosting providers until a patch is released.
This advisory follows SonicWall’s recent alert about a separate critical flaw (CVE-2025-40599) affecting its SMA 100 series appliances. Though exploitation requires admin privileges, the company urged immediate patching after Google’s threat team uncovered credential-based attacks deploying the OVERSTEP rootkit on vulnerable systems. Administrators were advised to scrutinize logs for signs of unauthorized access and report any suspicious activity to SonicWall’s support team.
As investigations continue, businesses relying on SonicWall infrastructure face mounting pressure to reinforce defenses. With ransomware groups refining their techniques, proactive measures, from credential hardening to real-time threat detection, are now essential to mitigate exposure.
(Source: Bleeping Computer)