Image by Clint Patterson. From Unsplash
Akira Ransomware Exploits SonicWall VPN Accounts
Reading time: 2 min
Last Updated: Sep 30, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
The Akira ransomware group has started attacking SonicWall firewalls across the globe, via stolen login information and security weaknesses, to bypass MFA and encrypt networks.
In a rush? Here are the quick facts:
- Akira ransomware exploits SonicWall firewalls since July 2025.
- Attackers use stolen credentials and MFA bypass to gain access.
- MySonicWall cloud backup incident adds to security concerns.
Arctic Wolf Labs has identified a new wave of ransomware attacks which target SonicWall firewalls, with intrusions beginning in late July 2025, and continuing to this day. The campaign uses stolen login credentials together with a serious security vulnerability to bypass security systems.
“Threat actors obtained initial access through malicious SSL VPN logins with successful OTP Multi-Factor Authentication (MFA) challenge, and deployed Akira ransomware,” Arctic Wolf explained. Attackers performed network scanning operations followed by lateral movement through Impacket and encryption of data within a short time frame.
The hackers are believed to be exploiting CVE-2024-40766, an “improper access control vulnerability” first disclosed in 2024. Attackers who have stolen login credentials can still exploit patched devices as the security of these devices remains at risk.
SonicWall has confirmed that compromised login credentials continue to function across various SonicOS system versions.
Adding to the concerns, SonicWall recently acknowledged an unrelated incident involving its MySonicWall cloud backup service. The company said it was not a ransomware attack, but “the full extent of this breach may not yet be fully known.”
The victim base reaches various sectors, according to Arctic Wolf, because attackers carry out “opportunistic mass exploitation.” The group observed that attackers managed to bypass MFA security measures, though the exact method remains unclear.
With ransomware “dwell time” measured in just hours, experts say early detection is critical. Arctic Wolf advised organizations to watch for suspicious VPN logins from hosting providers and anomalous SMB activity.
“Because dwell time is typically measured in hours, detecting and disrupting the activity early is essential to prevent ransomware encryption and data theft,” the company warned.
The Akira ransomware group operates globally, yet organizations need to stay updated on their devices and improve MFA security and watch for system irregularities, as demonstrated by the SonicWall campaign.
Previous Story
Latest articles 
