Akira ransomware Sonicwall breach
Situation
Since late July 2025, there has been a surge in intrusions targeting SonicWall SSL VPN services. Attackers are using malicious SSL VPN logins, even bypassing OTP-based MFA, to gain access. After access, they quickly perform internal reconnaissance, lateral movement, and deploy Akira ransomware in many cases within hours. The campaign seems opportunistic and broad: victims across sectors and sizes, with different affiliates using slightly different techniques. The campaign ties back to CVE‑2024‑40766, a SonicWall vulnerability involving improper access control, and speculates that credentials harvested earlier could be used now (even on patched devices).
Problem
Attackers can successfully authenticate using valid accounts with OTP (MFA) enabled, with no observed configuration tampering or unbinding. Additionally, the time from access to encryption is often measured in hours (some as short as 55 minutes), leaving minimal time for detection & response. Once inside, attackers use tools like SoftPerfect Network Scanner, Advanced IP Scanner, and Impacket to move, discover AD, and collect credentials to achieve persistence. They create new accounts, disable security tools, delete shadow copies, and disable legitimate remote tools. Afterwards they stage and exfiltrate data before or in parallel with encryption, using the double extortion model. Patching is not enough, the vulnerable firmware versions (SonicOS 5/6/7) may have had credential compromise, so even upgrading does not fix the problem unless credentials are reset.
Risk
Because of the short window, organizations are at risk of being encrypted before detection or mitigation. Because attackers also steal the data, they can threaten to leak exfiltrated data if ransom is not paid, to increase the pressure. Reputational damage because leaked data (customer, internal, PII) may incur penalties or loss of trust. The inability to recover from backups will cause operational disruption to systems and services, and increase time to restore operations. If credentials for VPN, AD, or LDAP synchronization are compromised, the attacker may reuse them across new systems or later campaigns.
Impact
Dozens of intrusions observed have been tied to this campaign. In many cases, encryption was completed in under 4 hours, sometimes just under 55 minutes after access. Victim organizations across multiple sectors and sizes were targeted, indicating broad exposure rather than narrow tailored attacks. The campaign escalated over time, with new infrastructure observed as late as September 2025. The cost is not just ransom, incident response, system recovery, potential data breach compensation, reputational damage, downtime, are all elements that determine the cost of an attack
Mitigation/Prevention
- Credential & Configuration Hardening
- Reset all SSL VPN credentials (usernames, passwords, OTP seeds) for devices that ever ran vulnerable firmware.
- Reset Active Directory credentials for accounts used in SSL VPN access and LDAP sync.
- Evaluate whether the MySonicWall cloud backup service was affected and apply relevant SonicWall remediation instructions.
- Separate identity management from firewall appliances (e.g. use SSO/SAML) so that VPN credentials are not on the firewall itself.
- Detection & Monitoring
- Monitor for SSL VPN logins originating from hosting-related ASNs (VPS, anonymization services).
- Monitor for SMB session setup requests that match Impacket behavior (internal scanning / reconnaissance).
- Block VPN logins from IP ranges used by hosting providers / anonymization services, if not business‐critical.
- Block login access from regions where the organization does not do business.
- Endpoint / System Hardening
- Use App Control / WDAC to block execution of dual-use or attacker tools from untrusted paths.
- Enforce kernel-mode code integrity, preventing unsigned or exploitable drivers from loading.
- Explicitly deny or whitelist remote management tools so only approved ones are allowed.
- Maintain strong endpoint protection; prevent tampering of EDR/AV, disable UAC modifications, protect from script-based disabling of defenses.
- Operational / Process Controls
- Ensure frequent, immutable backups stored offline or off‑network so that deletion of shadow copies does not eliminate recovery options.
- Implement segmentation and least privilege for infrastructure such that compromise of VPN does not automatically give access to critical assets.
- Test and practice incident response / runbooks so that in the event of intrusion, containment, forensics, and recovery can be rapid.
- Use strong logging, monitoring, and alerting for anomalous activity (credential abuse, new accounts, unexpected tool execution).
- Engage threat intelligence / MDR services to stay updated with TTPs, detectors, and IOCs.
IOC’s
- IP / ASN / Network Indicators (VPN / C2 / Exfil)
- 117.117[.]34 (AS215703 – Freakhosting)
- 66.249[.]93 (AS62005 – BlueVPS)
- 239.236[.]149 (AS62240 – Clouvider)
- 163.194[.]7 (AS62240 – Clouvider)
- 33.45[.]194 (AS62240 – Clouvider)
- 222.247[.]64 (AS62240 – Clouvider)
- 76.147[.]106 (AS62240 – Clouvider)
- 247.126[.]239 (AS62240 – Clouvider)
- 229.17[.]123 / .135 / .148 (AS62240 – Clouvider)
- 55.76[.]210 (AS14061 – DigitalOcean)
- 114.123[.]167 / .229 (AS63023 – Gthost)
- 155.93[.]154 (AS29802 – Hivelocity)
- 168.41[.]74 (AS29802 – Hivelocity)
- 191.214[.]170 (AS29802 – Hivelocity)
- 29.63[.]226 (AS63473 – Hosthatch)
- 94.54[.]125 (AS36352 – Hostpapa)
- 33.86[.]2 (AS202015 – Hz Hosting)
- 141.160[.]33 / 79.141.173[.]235 (AS202015 – Hz Hosting)
- 181.230[.]108 (AS60602 – Inovare‑Prim)
- 188.6[.]17 (AS396356 – Latitude.Sh)
- 175.102[.]58 (AS131199 – Nexeon)
- 174.100[.]199 (AS8100 – Quadranet)
- 56.163[.]58 (AS8100 – Quadranet)
- 194.11[.]34 / 104.194.8[.]58 / 104.238.205[.]105 (AS23470 – Reliablesite)
- 86.96[.]42 (AS14956 – RouterHosting)
- 172.110[.]103 / .37 / .49 (AS14956 – RouterHosting)
- 168.208[.]102 (AS21249 – Global Connectivity Solutions)
- 96.10[.]212 (AS64236 – Unreal Servers)
- 158.128[.]106 (AS62904 – Eonix Corporation)
- 226.2[.]47 (AS40676 – Psychz Networks)
- 242.184[.]58 (AS215381 – Rockhoster)
- 164.145[.]158 (AS394814 – ISP4Life)
- 130.165[.]42 (AS62904 – Eonix) — used for command & control
- 210.196[.]101 (AS30633 – Leaseweb) — used for exfiltration
- 168.190[.]143 (AS14315 – 1gservers) — used for exfiltration
- File / Binary / Driver / Tool IOCs
- rwdrv.sys — vulnerable driver used in BYOVD technique
- churchill_driver.sys
- hlpdrv.sys
- check_hvci_admin.bat
- Hostnames observed in SMB / reconnaissance: kali, WIN, DESKTOP-HPLM2TD, WINUTIL, DESKTOP-A2S6P81, WIN-V1L65ED9I55, WIN-5VVC95LFP2G, DESKTOP-EDE0RR5
- Ransomware or locker binaries: akira.exe, locker.exe, w.exe
- WinRAR usage with specific commands (e.g. splits, –tn365d, etc.)
- Rclone, FileZilla usage in exfiltration
- Use of PowerShell script to extract Veeam DB credentials, modify PostgreSQL configs, etc.
- Behavioral / TTP-based Indicators
- SSL VPN login events (SonicWall event IDs) from hosting ASNs
- OTP login event soon after challenge
- Internal port scanning (ports 135, 137, 445, 1433) shortly after VPN login
- SMB session setup requests consistent with Impacket
- Creation of new domain/local accounts (e.g. “sqlbackup”)
- Attempts to disable EDR/AV / delete shadow copies
- Execution of remote management or tunneling tools (AnyDesk, RustDesk, cloudflared)
- Use of cloudflared service, SSH tunnels, administrative commands to open remote access
- Use of dual-use tools (e.g. consent.exe repackaged) for sandbox/EDR bypass.
Links
https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/
https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a