A significant surge in Akira ransomware activity, first observed in late July 2025, has been attributed to the exploitation of a known SonicWall SSL VPN vulnerability, CVE-2024-40766, combined with critical misconfigurations.1 This campaign, which remains active, targets organizations that migrated from Gen 6 to Gen 7 SonicWall firewalls without following recommended security practices, particularly the resetting of local user account passwords.3 The attack chain is notably rapid, with threat actors moving from initial VPN access to domain controller compromise and ransomware deployment within hours.2
Security firm Arctic Wolf initially documented the uptick in activity, noting that malicious VPN logins often originated from Virtual Private Server (VPS) hosting providers, a pattern distinct from legitimate user traffic.1 Huntress Labs confirmed these findings, reporting at least 28 incidents by early August and detailing an evolving set of tactics, including the use of Bring Your Own Vulnerable Driver (BYOVD) attacks to disable endpoint security software.2 SonicWall subsequently issued a product notice clarifying that the attacks were not leveraging a new zero-day but were instead a result of exploiting the existing CVE-2024-40766 flaw in improperly maintained environments.3
Technical Analysis of the Attack Chain
The initial access vector for this campaign is the successful authentication to the SonicWall SSL VPN service. Threat actors achieve this by exploiting CVE-2024-40766, an improper access control vulnerability from 2024. This is compounded by a common misconfiguration where organizations that performed a firewall generation upgrade failed to reset local user passwords, as was advised in the original security advisory.3 Furthermore, a specific LDAP misconfiguration is being abused: if the “LDAP SSL VPN Default User Groups” setting is configured, it can automatically grant VPN access to any user who successfully authenticates via LDAP, bypassing more granular Active Directory group membership controls.3
Once inside the network, the attackers execute a fast-paced and efficient operation. They quickly pivot to domain controllers, often within a few hours, using compromised over-privileged service accounts commonly named `sonicwall` or `LDAPAdmin`.2 To establish persistence, they deploy tools like Cloudflared, OpenSSH for Windows, or commercial Remote Monitoring and Management (RMM) software. Huntress observed the use of BYOVD techniques, where attackers install legitimate but vulnerable kernel drivers (`rwdrv.sys`, `hlpdrv.sys`) to disable Endpoint Detection and Response (EDR) tools, a method that provides significant evasion capabilities.2
Evolution of Akira Ransomware Tradecraft
The Akira ransomware itself has incorporated new features to hinder forensic analysis and increase its impact. As of mid-August, the ransomware binary began supporting a `-dellog` argument. When executed with this flag, it uses PowerShell commands to clear Windows event logs, effectively erasing evidence of the attack activities from the local system.2 This represents a deliberate effort to complicate incident response and investigations. The group also employs heavy use of Living-off-the-Land (LotL) techniques, leveraging built-in Windows tools and processes, which makes detection by traditional signature-based antivirus solutions particularly challenging.6
The threat actors are also abusing the SonicWall Virtual Office Portal. This web portal, used for configuring multi-factor authentication (MFA) like Time-based One-Time Passwords (TOTP), can in some configurations be exposed to the public internet. With a set of compromised credentials, an attacker can access this portal to enroll their own device for MFA, effectively bypassing this security control for the compromised account.5 This highlights that the attack leverages a combination of technical vulnerability, misconfiguration, and procedural weakness.
Mitigation and Defense Strategies
A multi-layered defense strategy is required to protect against this campaign. The most effective immediate action is to disable the SSL VPN service if it is not absolutely required for business operations.1 For organizations that must keep it enabled, the following steps are critical. First, update SonicWall firewalls to firmware version SonicOS 7.3.0 or later, which includes enhanced login attempt lockout and password complexity enforcement features.3
Second, credential hygiene is paramount. All credentials associated with the firewall and VPN access must be rotated immediately. This includes local firewall accounts, VPN user accounts, and—most critically—any Active Directory service accounts used by the SonicWall appliance for LDAP authentication. These service accounts must be audited and have their privileges reduced to the absolute minimum necessary; they should never be members of the Domain Admins group.2
Network-level controls can significantly reduce the attack surface. Implementing IP allow-listing for VPN access can block connection attempts from unauthorized locations. Given that malicious logins in this campaign frequently originate from specific VPS provider ASNs (e.g., ASN 23470, ASN 62240),1 blocking traffic from these autonomous systems can be an effective temporary measure. Enabling Geo-IP filtering and Botnet Protection on the SonicWall device are also recommended baseline security practices.3
Enhanced monitoring and logging are essential for detection. Ensuring that SonicWall logs are ingested into a Security Information and Event Management (SIEM) system or a security monitoring solution allows for the correlation of events and detection of anomalous login patterns, such as those from VPS providers. For users of specific security products, Bitdefender recommends enabling Ransomware Mitigation policies and their GravityZone PHASR module for detecting LotL activity,6 while Tenable offers plugins for discovering external-facing SonicWall assets.4
Broader Campaign Context and Attribution
This campaign is characterized as opportunistic, enabled by the Akira ransomware-as-a-service (RaaS) model rather than highly targeted attacks.7 The Australian Cyber Security Centre (ACSC) has confirmed incidents affecting Australian organizations,5 and Akira was ranked as the third most active ransomware group in July 2025 with 40 attacks.5 It is important to distinguish this activity from a separate campaign conducted by threat group UNC6148, which is simultaneously targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances with a backdoor called OVERSTEP.6
The persistence of this campaign weeks after its initial disclosure underscores the challenges of patch management and configuration hygiene in complex enterprise environments. The fact that a vulnerability patched in 2024 can be effectively weaponized in 2025 serves as a stark reminder that known vulnerabilities often present a lower-risk avenue for attackers than pursuing novel zero-days.
The technical specifics of this campaign, from the BYOVD attacks to the event log wiping, provide a clear view of modern ransomware operations. Defense requires a focus on foundational security practices: rigorous patch management, strict principle of least privilege for all accounts, robust credential policies, and comprehensive monitoring. For organizations using SonicWall SSL VPN, immediate action to review configurations, update firmware, and rotate credentials is not just recommended but necessary to mitigate this active threat.
