Escalation in Akira Campaign Targets SonicWall VPNs, Deploys Ransomware
In a concerning escalation of a long-running campaign, security researchers at Arctic Wolf Labs have observed a surge of intrusions involving suspicious SonicWall SSL VPN activity. The malicious logins were followed by port scanning, Impacket SMB activity, and the rapid deployment of Akira ransomware, affecting victims across multiple sectors and organization sizes.
According to Arctic Wolf Labs, this campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025. "We've seen a significant increase in the number of attacks using this tactic," said a spokesperson for Arctic Wolf Labs. "The attackers are operating with remarkable speed, often deploying ransomware within minutes of initial access."
The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched. This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.
SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024. "We're working closely with our partners and customers to address this issue," said a SonicWall spokesperson. "We urge all users to ensure their devices are patched and up-to-date."
The Akira campaign has been ongoing since late July 2025, with victims spanning across multiple sectors, including finance, healthcare, and education. The attackers' use of harvested credentials suggests an opportunistic mass exploitation strategy.
"This is a classic example of how threat actors can exploit vulnerabilities in previously patched systems," said a cybersecurity expert not affiliated with Arctic Wolf Labs. "It highlights the importance of ongoing monitoring and maintenance to prevent such attacks."
The dwell time, or the time from initial access to ransomware deployment, has been measured at an alarming rate. The attackers' speed and agility have left many wondering about the effectiveness of current security measures.
As the campaign continues to escalate, researchers are urging organizations to take immediate action to protect themselves against these types of attacks. "We recommend that all users review their patch levels, implement robust access controls, and monitor their networks for suspicious activity," said a SonicWall spokesperson.
The Akira campaign serves as a stark reminder of the evolving threat landscape and the need for continuous vigilance in cybersecurity. As researchers continue to study this campaign, they hope to glean valuable insights into the tactics and techniques used by these attackers.
Background
In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. The campaign has since escalated, with new infrastructure linked to it observed as late as September 20, 2025.
Additional Perspectives
"This is a wake-up call for organizations to review their security posture and implement robust measures to prevent such attacks," said a cybersecurity expert not affiliated with Arctic Wolf Labs. "The use of harvested credentials highlights the importance of ongoing monitoring and maintenance."
Current Status and Next Developments
As the campaign continues to escalate, researchers are urging organizations to take immediate action to protect themselves against these types of attacks. SonicWall is working closely with its partners and customers to address this issue, while Arctic Wolf Labs continues to monitor the situation.
In the meantime, cybersecurity experts are warning organizations to remain vigilant and proactive in their security measures. "This campaign serves as a stark reminder of the evolving threat landscape and the need for continuous vigilance in cybersecurity," said a SonicWall spokesperson.
*Reporting by It.*
