In a surge of activity that kicked off around mid-July 2025, SonicWall SSL VPN devices have landed in the crosshairs of Akira ransomware operators, according to Arctic Wolf Labs.
Multiple incidents reviewed by the firm show attackers gaining access through SonicWall SSL VPN portals in rapid succession, often just hours before ransomware encryption begins. Notably, some targeted SonicWall devices were fully patched, raising the possibility of a zero-day vulnerability, although credential-based attacks remain a possibility.
Julian Tuin, a researcher at Arctic Wolf, noted that the access pattern suggests either a zero-day vulnerability or attackers leveraging stolen credentials. For now, both scenarios remain on the table.
Although this wave was recently spotted, traces of similar VPN-based intrusions date back to October 2024. The firm observed a pattern: ransomware groups often authenticate through VPN logins using Virtual Private Server hosts rather than typical broadband ISPs. This tactic is rarely seen in legitimate user activity. Combined with a short window between initial access and ransomware deployment, this is a strong indicator of malicious activity in recent SonicWall device attacks.
On Monday, SonicWall confirmed a surge in attacks over the past 72 hours. The attacks targeted its Gen 7 firewalls and specifically exploited vulnerabilities in the SSL VPN feature. The activity includes cases flagged by cybersecurity vendors such as Arctic Wolf, Mandiant, and Huntress. Currently, their engineers are analyzing telemetry and incident data to identify the root cause.
SonicWall has issued clear mitigation guidance for users of their Gen 7 firewalls amid the ongoing attacks targeting SSL VPN services. First, they recommend disabling SSL VPN wherever possible, but emphasize that all other measures should be followed even if disabling isn’t an option. Limiting SSL VPN access to trusted IP addresses is essential.
They advise enabling security features like Botnet Protection and Geo-IP Filtering to block known threats. Enforce multi-factor authentication on every remote access point. However, some reports state that this alone may not fully prevent these attacks. Audit firewall user accounts and eliminate those that are unused or inactive, particularly those with VPN privileges. Strong password policies and regular updates are non-negotiable for safeguarding accounts.
The bottom line: apply these steps now to minimize risk. SonicWall is continuing its investigation and will provide updates as new information emerges. Staying proactive is the best defense at this stage.
Akira emerged on the ransomware scene in March 2023. By early 2024, it’s believed to have pulled in approximately $42 million. Akira had reached over 250 organizations by then. By mid-2025, it wasn’t just active, it was everywhere. In Q2 alone, 143 victims were tied to the group. This made it the second most aggressive ransomware group that quarter, just behind Qilin. One notable detail: roughly 10% of its attacks hit companies in Italy. This is way above the usual hit rate seen in other regions.
