SonicWall Devices Under Active Attack by Akira Ransomware Group

A surge in cyberattacks targeting SonicWall devices has been linked to the Akira ransomware group, with threat actors exploiting both a critical vulnerability and misconfigurations to breach corporate networks. The attacks, observed by cybersecurity firm Rapid7, have intensified since July 2025. Organizations must understand effective strategies for responding to ransomware attacks to minimize potential damage.

The campaign leverages a severe security flaw (CVE-2024-40766) in SonicWall's SSL VPN system, carrying a critical CVSS score of 9.3. This vulnerability allows attackers to exploit local user passwords that weren't properly reset during system migrations.

Attack Vectors and Methodology

Security researchers have documented three primary attack methods being used by Akira operators:

• Exploitation of the SSL VPN vulnerability
• Brute-force attacks against user credentials
• Abuse of misconfigured LDAP SSL VPN Default User Groups

The LDAP misconfiguration is particularly concerning, as it automatically grants new users access to sensitive services regardless of their actual permissions in Active Directory. This security weakness effectively bypasses intended access controls, creating an easy entry point for attackers. Organizations implementing secure remote network access solutions must carefully evaluate their configuration settings.

Threat Intelligence and Impact

Akira has emerged as one of the most active ransomware groups, claiming 967 victims since its debut in March 2023. Recent statistics show the group conducted 40 attacks in July 2025 alone, making it the third most prolific ransomware operation globally.

"The Akira group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges, stealing sensitive files, destroying backups, and deploying ransomware encryption at the hypervisor level," explains Rapid7's analysis.

Mitigation Strategies

To defend against these attacks, security experts recommend:

1. Immediately rotate passwords on all SonicWall local accounts
2. Remove unused or inactive SonicWall accounts
3. Implement strict MFA/TOTP policies
4. Restrict Virtual Office Portal access to internal networks only

Understanding VPN security best practices for network protection is essential for maintaining robust defenses against such threats.

For additional guidance on securing SonicWall devices, organizations can refer to the official SonicWall Security Advisory.

The ongoing campaign against SonicWall devices serves as a reminder that even well-established security solutions can become vectors for attack when not properly configured and maintained.