Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
A surge in Akira ransomware attacks is linked to SonicWall SSL VPNs, not a zero-day. Attackers exploited weak or unchanged credentials after firewall migrations.
August 8, 2025

RaaS meets misconfiguration: How Akira is exploiting SonicWall SSLVPN weaknesses

Written by:

ThreatLocker Intelligence

Table of contents

Text Link

SonicWall reports tie the surge in late-July attacks to credential-based access and CVE-2024-40766, not a new vulnerability.

A recent spike in Akira ransomware attacks is being linked to SonicWall SSL VPN appliances, but contrary to early speculation, no zero-day vulnerability appears to be involved.

Instead, attackers are leveraging credential-based access, particularly in cases where local accounts weren’t reset during firewall migrations. Here's what security teams need to know.

Technical situation & timeline

When did the increased Akira ransomware activity begin, and what ties it to SonicWall SSL VPNs?

  • Activity ramped up in late July 2025.
  • SonicWall reported on Monday that the incidents involved Gen 7 firewalls with SSLVPN enabled.
  • By Wednesday, August 6, SonicWall expanded the advisory to include firewalls beyond Gen 7.
  • Many attacks reportedly followed migrations from Gen 6 to Gen 7, where local user account passwords were not reset.
  • Initial access is believed to have occurred via compromised local accounts, enabling ransomware deployment.

Is a zero-day involved?

  • SonicWall now reports a "significant correlation" between recent activity and CVE-2024-40766.
  • There is high confidence that a zero-day is not involved.
  • Akira affiliates are likely exploiting known flaws or credential-based access, not a novel vulnerability.

Exploit details & affected platforms

What platforms and firmware versions are affected?

  • Gen 7 and newer SonicWall firewalls with SSLVPN enabled.
  • Firewalls running firmware versions below 7.3.0 are most at risk.
  • Devices migrated from Gen 6 to Gen 7 with unreset local account passwords are especially vulnerable.

Is the activity linked to a known CVE or a new flaw?

  • The threat activity is linked to CVE-2024-40766, not a new zero-day.
  • No indication currently suggests the involvement of CVE-2024-53704.

Attack vectors & techniques

How are attackers gaining access?

By exploiting local accounts that:

  • Were migrated from Gen 6 to Gen 7 or newer
  • Have SSLVPN access enabled
  • Did not undergo a password reset post-migration

What happens after access is gained?

  • Threat actors may quickly disable security tools and encrypt systems.
  • Akira’s RaaS model means operational speed and strategy vary by affiliate.

Recommendations & mitigation

What immediate steps should organizations take?

  • Disable SSLVPN on vulnerable devices, if feasible.
  • If not, limit access to trusted IP ranges.
  • Reset passwords for all local accounts, especially those migrated from Gen 6.
  • Enable Botnet Protection and Geo-IP Filtering.

What long-term security measures are recommended?

  • Enforce strong password policies.
  • Routinely audit and disable unused accounts.
  • Apply firmware upgrades.
  • Implement MFA and review account hygiene.
  • Use least privilege access principles.

Detection & response

How should organizations detect signs of compromise?

Monitor SonicWall logs for:

  • VPN logins from VPS-hosted IPs
  • Unusual login patterns

Look for:

  • Unusual logon times
  • Unexpected files accessed
  • Network activity suggesting data exfiltration

What tools can support detection and prevention?

  • ThreatLocker Network Control can block untrusted IPs from accessing internal systems.
  • Use Sysmon and MDR services to detect lateral movement and post-access behavior.

Expert insight

Are these attacks opportunistic or targeted?

  • Opportunistic. Ransomware operators pursue financially motivated targets, regardless of sector.
  • Akira’s RaaS model enables any threat actor to use the ransomware, increasing risk across sectors.

What best practices support a security-by-default approach?

  • Routinely audit and rotate credentials
  • Disable or remove unused and service accounts
  • Review permissions and ensure least privilege access
  • Enable MFA and use TOTP to prevent SIM swapping
  • Ensure proper cloud and network configuration
  • Maintain clear escalation and response procedures

Is there a ThreatLocker solution?

Yes. You can prevent many cyberattacks by simply eliminating your misconfigurations. That’s why ThreatLocker launched Defense Against Configuration (DAC), which automatically identifies misconfigurations and maps them to your environment’s compliance and security requirements—all displayed on a built-in dashboard on your ThreatLocker portal homepage.

To learn more about ThreatLocker solutions, book a demo customized to your environment and needs.

ABOUT THE AUTHOR

TAKE CONTROL OF YOUR ORGANIZATION'S SECURITY

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker

Ready to try out the ThreatLocker® platform?

Request a free 30-day trial today and see how ThreatLocker can take your organization's security to the next level.

Click X to close