Threat Actors Exploiting SonicWall Firewalls to Deploy Akira Ransomware Using Malicious Logins

A new wave of cyberattacks targeting organizations using SonicWall firewalls has been actively deploying Akira ransomware since late July 2025. Security researchers at Arctic Wolf Labs detected a surge in this activity, which remains ongoing. Threat actors are gaining initial access through malicious SSL VPN logins, successfully bypassing multi-factor authentication (MFA), and then rapidly moving to encrypt data within hours.

SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024. The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched. This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.

Attackers use compromised credentials to log into SonicWall SSL VPNs, bypassing OTP MFA. Within minutes of logging in, attackers begin internal network scanning for open ports like SMB (445), RPC (135), and SQL (1433). They use tools like Impacket, SoftPerfect Network Scanner, and Advanced IP Scanner for discovery and lateral movement.

To operate undetected, attackers attempt to disable endpoint security products like Windows Defender and other EDR solutions. They use a “bring-your-own-vulnerable-driver” (BYOVD) technique to tamper with security software at the kernel level and delete Volume Shadow Copies to prevent system restoration.

To read the complete article see: Cyber Security News