279/68 Monday, August 4, 2025
Cybersecurity researchers from Arctic Wolf Labs have revealed that the Akira ransomware group has been actively targeting SonicWall SSL VPN systems since mid-July 2025. The attackers are using the VPN service as an entry point into victims’ networks. Notably, some of the affected devices had already been updated with the latest patches, suggesting the presence of a previously unknown or unpatched zero-day vulnerability. However, experts have not ruled out the possibility that attackers may have initially accessed the systems through credential-based attacks.
The report states that Akira often uses Virtual Private Servers (VPS) to log into VPNs—unlike typical logins, which usually come from residential internet service providers. These suspicious VPN logins and subsequent data encryption for ransom typically occur within a short time frame. Similar behavior has been observed since October 2024, highlighting a sustained effort to breach SonicWall systems.
Arctic Wolf recommends that organizations using SonicWall SSL VPNs consider temporarily disabling the service until a patch becomes available. They also advise strengthening other security measures, such as:
- Enforcing multi-factor authentication (MFA)
- Removing unused user accounts
- Setting strong and secure passwords
According to recent data, the Akira group has extorted over $42 million from more than 250 victims worldwide. In Q2 2025, Akira ranked as the second most active ransomware group, trailing only Qilin, with victims in Italy alone accounting for 10% of their attacks.
Source https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html
