Akira ransomware: From SonicWall VPN login to encryption in under four hours

Four hours or less: that’s how long it takes for Akira affiliates to break into organizations and deploy the ransomware on their systems, Arctic Wolf researchers have warned.

Armed with SonicWall SSL VPN credentials stolen in earlier intrusions and apparently able to bypass multi-factor authentication (MFA), the attackers:

• Start to scan the network to discover network services and unsecured accounts
• Use Impacket to set up and interact with SMB sessions
• Use RDP for lateral movement through compromised environments
• Find their way to a Domain Controller and gain access to virtual machine storage and backups
• Create additional accounts (including domain accounts) to install RMM tools and for data exfiltration
• Establish a C2 method
• Collect and exfiltrate data
• Disable legitimate RMM tools and EDR tools, delete System Volume Shadow Service copies, clear event logs
• Install WinRAR to archive data that will be exfiltrated via rclone or FileZilla to a virtual private server (VPS) they control
• Deploy the Akira ransomware.

Initial access

Arctic Wolf has been warning about the increase of Akira ransomware attacks since July 2025.

At first, it appeared the attackers might be exploiting a zero-day in SonicWall VPN devices, but it was later confirmed they were abusing CVE-2024-40766, an improper access control flaw in SonicWall SonicOS management access and SSL VPN.

A fix for CVE-2024-40766 was released by SonicWall in August 2024 but, according to the company, some customers have upgraded from Gen 6 to Gen 7 firewalls without resetting passwords for local user accounts with SSL VPN access.

The prevailing theory is that these actors harvested SSL VPN and privileged service account credentials months earlier during quieter intrusions. They are now reusing those credentials to breach organizations that may have patched or upgraded, but never rotated local user passwords.

Rapid7 researchers have also suggested that attackers are exploiting additional weaknesses, including:

• A misconfiguration in SonicWall devices’ SSLVPN Default Users Group setting, which automatically adds every successfully authenticated LDAP user to a predefined local group that may have access to sensitive services
• Externally accessible Virtual Office Portal inside the SonicOS management interface, which allows them to configure one-time password (OTP) multi-factor authentication on compromised accounts.

“In our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out scratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN login (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes (event ID 1382) in the five days leading up to the intrusions,” Arctic Wolf researchers noted.

“Taken together, the evidence points to the use of valid credentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled accounts remains unclear.”

So far, there’s no indication that these intrusions and the attack against SonicWall’s cloud backup service for firewalls are related.

Advice for organizations

Victim organizations span multiple industries and vary in size, which points to the attacks being opportunistic rather than targeted.

The extraordinarily short time between initial access and ransomware deployment means that early detection and response are crucial.

The researchers advise organizations to:

• Monitor for or, if possible, block logins from VPS hosting providers
• Monitor for anomalous SMB activity that points to Impacket use and for LDAP discovery activity
• Monitor for execution of network scanning tools and archival tools from unusual locations on servers
• Use App Control for Business to block unauthorized remote tools, deny execution from untrusted paths, etc.

“If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets,” Arctic Wolf researchers added.

“This includes both local firewall accounts and LDAP-synchronised Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle. Resetting LDAP synchronisation accounts is especially critical, as we have observed logins against these accounts despite them not being intended for VPN access.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!