Update on Ongoing Akira Ransomware Campaign

SUMMARY :

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The attacks are characterized by extremely short dwell times, sometimes as brief as 55 minutes from access to encryption. The campaign is affecting various industries and organization sizes, suggesting opportunistic mass exploitation. Key recommendations include resetting SSL VPN and Active Directory credentials, implementing SonicWall's security measures, blocking VPN access from suspicious IPs and ASNs, updating to SonicOS 7.3.0, and deploying additional security monitoring tools.

OPENCTI LABELS :

ransomware,cve-2023-20269,credential theft,akira,cve-2020-3259,cve-2024-40766,sonicwall,ssl vpn,infrastructure rotation,rapid exploitation


AI COMMENTARY :

1. Update on Ongoing Akira Ransomware Campaign The Akira ransomware campaign exploiting SonicWall SSL VPN accounts has dramatically escalated since July 2025. Threat actors are leveraging previously exfiltrated credentials, including accounts protected by OTP multifactor authentication, to gain initial access. This wave of attacks has coincided with active exploitation of CVE-2024-40766, allowing adversaries to bypass security controls and infiltrate corporate networks with alarming speed.

2. Threat Actor Techniques and Vulnerabilities The attackers behind Akira have demonstrated sophisticated credential theft methods, often pairing them with known vulnerabilities such as CVE-2023-20269, CVE-2020-3259 and the more recent CVE-2024-40766. By reusing stolen credentials and rotating infrastructure continuously, they achieve rapid exploitation timelines. In some incidents the dwell time from foothold to full encryption of systems has been as brief as 55 minutes, highlighting the extreme efficiency of these threat actors.

3. Technical Evolution and Infrastructure Rotation Since July, security researchers observed multiple changes in command and control nodes, indicating an intentional strategy of infrastructure rotation. This adaptation enables the adversaries to evade detection and extends their operational longevity. The newly identified servers active as of September 20 underscore the persistent nature of this campaign and the ongoing investments by attackers in maintaining attack frameworks that support Akira payload delivery and lateral movement across compromised environments.

4. Impact Across Industries Organizations ranging from small enterprises to large corporations across healthcare, finance, manufacturing and technology sectors have fallen victim to this opportunistic mass exploitation. The common thread is unpatched SonicWall SSL VPN appliances and stagnant Active Directory credentials. By compromising a single SSL VPN account, attackers can pivot throughout the corporate network, exfiltrate sensitive data and trigger wide-scale encryption events, leading to operational disruptions and significant financial losses.

5. Mitigation Strategies and Recommendations To defend against this accelerated ransomware threat, security teams should immediately reset SSL VPN and Active Directory credentials and enforce stronger password policies. Organizations must implement the latest SonicWall security features, including two-factor authentication enforcement and strict access controls. Blocking VPN access from suspicious IP ranges and high-risk ASNs can preempt malicious login attempts. Upgrading to SonicOS version 7.3.0 or later is crucial to remediate CVE-2024-40766 and other known vulnerabilities. Supplementing these measures with advanced security monitoring tools and continuous endpoint detection will enhance visibility and reduce dwell time for potential intrusions.

6. Conclusion and Outlook The Akira ransomware campaign represents a new benchmark in threat actor agility and rapid exploitation. The combination of credential theft, infrastructure rotation and active exploitation of multiple CVEs has created one of the most dangerous mass ransomware threats in recent memory. Organizations must adopt a proactive security posture, keeping defensive mechanisms current and staffing for continuous threat intelligence analysis. Vigilance against evolving attack methods remains the best strategy to mitigate the risk posed by the Akira campaign and its future variants.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Update on Ongoing Akira Ransomware Campaign