Close Menu
Cybercrime and Ransomware

Threat Actors Exploit SonicWall SSL VPNs to Deploy Akira Ransomware

Staff WriterBy No Comments3 Mins Read3 Views

Top Highlights

  1. Threat actors exploited CVE-2024-40766 in SonicWall SSL VPNs, enabling remote code execution and initial access across North America and EMEA since July 2025.
  2. Attackers performed reconnaissance, credential harvesting, and lateral movement, exfiltrating sensitive data before deploying Akira ransomware, often disabling logs and bypassing multi-factor auth.
  3. The Akira ransomware, evolving from Windows-only to Linux variants, utilizes double extortion tactics and relies on stolen credentials and misconfigurations for persistence.
  4. Organizations must patch SonicWall devices, enforce credential hygiene, and monitor for early indicators like unusual RDP, WinRM, and SSH activity to prevent or detect attacks early.

Key Challenge

In mid-2025, threat actors reemerged, exploiting known vulnerabilities in SonicWall SSL VPN appliances—specifically CVE-2024-40766—to deploy the sophisticated Akira ransomware across various enterprise networks in North America, EMEA, and beyond. These cybercriminals targeted unpatched SonicWall devices to gain unauthorized access, then conducted reconnaissance, credential theft, and lateral movements within networks. They often exfiltrated sensitive data prior to encryption, using covert channels like SSH to external endpoints, and employed advanced tactics such as disabling logs and leveraging legitimate administrative tools to remain undetected. The attackers, operating under a Ransomware-as-a-Service model, aimed at maximizing disruption by encrypting files and threatening data leaks, with their efforts increasingly affecting critical sectors like manufacturing, healthcare, and education. Darktrace cybersecurity analysts played a key role in identifying early signs of compromise—such as anomalous network requests—before ransom notes appeared, helping organizations respond swiftly. The widespread impact underscores the importance of promptly applying patches, enforcing strict security hygiene, and monitoring for unusual network activity to thwart such persistent threats.

Critical Concerns

In mid-2025, threat actors have exploited unpatched SonicWall SSL VPN vulnerabilities, specifically CVE-2024-40766, to implant the Akira ransomware across enterprise networks, leading to widespread data breaches, operational disruptions, and financial losses across sectors such as manufacturing, healthcare, and education. These attackers initiated their intrusion via remote code execution, then conducted reconnaissance, credential harvesting, and lateral movement using stolen credentials, often exfiltrating sensitive data before deploying ransomware. They employed sophisticated tactics like disabling logs, exploiting misconfigurations, and leveraging legitimate admin tools—WinRM and Rclone—to maintain persistence and evade detection. The evolving Akira strain now targets both Windows and Linux platforms, including VMware ESXi hosts, maximizing disruption under a ransomware-as-a-service model with double-extortion tactics. This campaign underscores the critical need for timely patching, robust credential management, and vigilant monitoring of suspicious network activity—especially anomalous SSH and RDP traffic—to prevent and contain such sophisticated cyber threats effectively.

Fix & Mitigation

Ensuring prompt remediation when threat actors exploit SonicWall SSL VPN devices to deploy Akira ransomware is crucial in safeguarding organizational assets, minimizing downtime, and preventing catastrophic data loss. Immediate action can contain the threat, reduce damage, and restore normal operations more efficiently.

Mitigation Strategies

  • Implement software updates promptly to address known vulnerabilities.
  • Enforce strong authentication methods, such as multi-factor authentication.
  • Disable unnecessary services and features on VPN devices.
  • Use firewall rules to restrict access to SSL VPN endpoints.

Remediation Actions

  • Conduct comprehensive system scans to detect malware or malicious activity.
  • Isolate affected devices to prevent lateral movement.
  • Perform data backups followed by secure data restoration, if necessary.
  • Review and strengthen security policies and access controls.
  • Monitor network traffic for unusual activity indicative of ongoing attacks.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.