Sonicwall SSL VPN devices have become the goal of Akira ransomware attacks as part of a new -new bounce in the end of July 2025.
“In the intrusion reviewed, several pre-ranmware infiltrations were seen within a short time, each included VPN Access through Sonicwall SSL VPN.”
The cyber security company suggested that the attacks may be exploited in the equipment yet to exploit the ordeal safety defects, which means that zero-day defects, given that some incidents affected the fully patched sonicwall equipment. However, the possibility of credential-based attacks for initial access has not been rejected.
Optic was first registered on July 15, 2025 in attacks associated with Sonicwall SSL VPNS, although Arctic Wolf said that it has seen similar malicious VPN logins by October 2024, which suggests continuous efforts to target the equipment.
“A short interval was seen between the initial SSL VPN account access and ransomware encryption,” it said. “Unlike valid VPN logins, which usually arise from the network operated by broadband internet service providers, ransomware groups often use virtual private server hosting for VPN authentication in compromised environment.”
Query, who was sent to Sonicwall for more information about the activity, did not respond to the publication of this article. As mitigation, organizations are advised to consider disabled Sonicwall SSL VPN service until a patch is provided and deployed, given the possibility of void-day vulnerability.
Other best practices include applying multi-factor authentication (MFA) for remote access, deleting inactive or unused local firewall user accounts and following password hygiene.
In early 2024, Akira Rainmware actors have been estimated to have approximately $ 42 million in illegal income after targeting more than 250 victims. It first emerged in March 2023.
Statistics shared by Czech Point show that Akira was the second most active group after Kilin in the second quarter of 2025, claiming 143 victims during the time period.
The cybercity company said, “Akira ransomware focuses a special focus on Italy, with 10% of Italian companies suffer compared to 3% in the general ecosystem.”
