New Akira Ransomware Wave Hits SonicWall Devices, Zero-Day Vulnerability Suspected
Since mid-July, a surge in ransomware attacks leveraging the Akira strain has been observed, specifically targeting SonicWall devices. According to cybersecurity firm Arctic Wolf, threat actors have been actively exploiting SSL VPN connections on these firewalls, with a yet-undisclosed zero-day vulnerability remaining the prime suspect behind the breaches.
Akira emerged in March 2023 and has since compromised over 300 organizations globally. Among its high-profile victims are Nissan (in Australia and Oceania), Hitachi, and Stanford University. As per FBI estimates, by April 2024, the group had extorted over $42 million from its targets.
Arctic Wolf Labs reports that the current wave of attacks began on July 15. In numerous incidents, unauthorized access was achieved via the SSL VPN functionality of SonicWall devices. Researchers emphasize that the precise initial access vector has yet to be confirmed. While the theory of a zero-day vulnerability remains the most plausible, alternative scenarios—such as credential compromise through brute-force, dictionary, or large-scale credential-stuffing attacks—cannot be definitively ruled out.
Once access is gained, the adversaries swiftly proceed to data encryption—a tactic consistent with attack patterns tracked since October 2024. The evidence strongly suggests a prolonged and targeted campaign against SonicWall, with attackers employing a well-rehearsed methodology: they irreversibly destroy backup archives, leaving victims without a path to recovery.
Moreover, an unusual VPN access pattern has been noted: rather than using standard ISPs, the attackers connect through hosting platforms, making it easier to distinguish malicious traffic from legitimate usage.
The investigation is ongoing, but administrators are already advised to temporarily disable SSL VPN, enable advanced logging, monitor endpoint activity, and block VPN access originating from hosting IP addresses until patches are available.
This advisory was issued one week after SonicWall’s own urgent bulletin, which warned administrators to immediately update SMA 100 series devices. The alert addressed a critical vulnerability—CVE-2025-40599—that allows arbitrary code execution on unpatched devices, provided administrative privileges are obtained. While no confirmed exploitation of this flaw has yet been observed in the wild, SonicWall noted that attackers are already leveraging stolen credentials to deploy malware—including the newly discovered OVERSTEP rootkit, as identified by the Google Threat Intelligence Group.
The history of attacks against SonicWall is long-standing and marked by systemic issues.
SonicWall has also urged administrators managing both virtual and physical SMA 100 deployments to audit activity logs, search for indicators of compromise, and contact support immediately upon detecting any signs of intrusion.
As of publication, company representatives have not issued an official statement.