Akira Exploits M&A: Ransomware Infiltrates Parent Orgs via Unpatched SonicWall Devices
Ordinary mergers and acquisitions are unexpectedly becoming a convenient point of entry for extortionists: operators of the Akira ransomware are infiltrating the networks of large companies through vulnerable SonicWall appliances inherited along with the acquired business. ReliaQuest issued the warning after analyzing a series of attacks between June and October.
In every examined incident involving vulnerable SonicWall SSL VPN devices, the attackers first compromised the infrastructure of a smaller company and then, after the deal closed, used the same appliances to move laterally into the parent organization’s network. The new owners often had no idea that such equipment even existed within their updated IT environment — and naturally, were in no hurry to patch years-old vulnerabilities.
According to ReliaQuest, throughout the summer groups affiliated with Akira aggressively exploited misconfigurations and vulnerabilities in SonicWall firewalls and SSL VPNs to gain initial access, steal data, and deploy the ransomware. SonicWall SSL VPNs are widely used by small and mid-sized businesses — precisely the kinds of companies most frequently acquired — which makes the “SonicWall + M&A” combination especially attractive to cybercriminals.
Beyond the M&A factor, ReliaQuest found three recurring weaknesses across all examined Akira attacks: abandoned yet still active privileged accounts, default or easily guessable hostnames, and the absence of robust endpoint protection. Together, this trio of issues turned victim networks into something akin to “a corridor without cameras.”
Researchers note that immediately after breaching the network through a compromised SonicWall device, the attackers began hunting for privileged accounts that had “migrated” into the new company as part of the acquisition. These included legacy administrator profiles, accounts belonging to former managed-service providers, and other inherited access points the new owner might not even have known existed. As a result, ReliaQuest estimates that attackers reached the domain controller in an average of just 9.3 hours — and in some cases, in as little as five.
A rapid reconnaissance phase followed: the intruders scanned the network for hosts with default or predictable names, allowing them to quickly identify domain controllers, application servers, and other critical nodes. From the start of lateral movement to the actual detonation of the ransomware typically passed less than an hour — leaving defenders with almost no time to react.
ReliaQuest also underscores the role of endpoint security. In every case, Akira operators deliberately sought out critical hosts lacking EDR or comparable protection. If such machines could not be found, they attempted to disable defenses through DLL sideloading. The absence or weakness of endpoint security made it far easier for them to encrypt systems before anyone noticed the intrusion.
The researchers do not disclose how many attacks they analyzed, but their conclusion is unequivocal: companies undergoing mergers and acquisitions are becoming particularly enticing targets for ransomware groups. And without thorough inventories of inherited hardware, timely patching of vulnerable VPNs, deactivation of legacy accounts, and full protection of all endpoints, a new deal may bring not only assets — but extortionists already lodged deep within the network.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
