Arctic Wolf Labs Uncovers Alarming Akira Ransomware Assault on SonicWall VPNs—Even Fully Patched Systems at Risk
Researchers at Arctic Wolf Labs have unveiled a sophisticated campaign by the Akira ransomware group, exploiting SonicWall SSL VPNs through what appears to be a zero-day vulnerability. Shockingly, this attack compromises even devices that are fully patched, protected by multi-factor authentication (MFA), and employ regular credential rotations.
Starting in late July 2025, Arctic Wolf Labs detected a surge of intrusions via VPN access, revealing that traditional security measures are failing to stop this new wave of attacks. The evidence points strongly to an unknown zero-day flaw in SonicWall VPNs, as attackers successfully penetrated accounts protected by time-based one-time passwords (TOTP) and fresh credentials.
“Although brute force and credential stuffing can’t be completely ruled out in every case, our investigation strongly suggests a zero-day exploit is at play,” the Arctic Wolf report states. “In some breaches, fully updated SonicWall devices were compromised shortly after credentials were rotated, despite MFA protections being in place.”
This ransomware campaign has been intensifying since mid-July 2025, with similar activity traced back as far as October 2024. Attackers are cleverly masking their origins by logging in from virtual private servers (VPS), distinct from legitimate users who connect via regular internet service providers. Arctic Wolf also noted rapid progression from VPN access to file encryption, indicating a well-orchestrated attack sequence.
“The stark difference in login patterns is a red flag—while legitimate users access via ISP networks, threat actors prefer VPS hosts for their VPN logins, signaling a hostile breach,” the report explains.
In light of this emerging threat, Arctic Wolf advises organizations to temporarily disable SonicWall SSL VPN services until an official patch is released and fully deployed.
Meanwhile, SonicWall recommends activating additional layers of security such as Botnet Protection, enforcing MFA universally, and cleaning up dormant firewall accounts. Regular password changes and restricting VPN access from suspicious hosting networks may also reduce risk, though these measures alone might not fully thwart this evolving attack.
The Akira ransomware gang, active since early 2023, has a notorious track record of infiltrating diverse sectors—including education, finance, and real estate. Demonstrating technical versatility, they’ve even developed a Linux-based encryptor targeting VMware ESXi servers, underscoring their growing threat landscape.
