Update on Ongoing Akira Ransomware Campaign

SUMMARY :

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The attacks are characterized by extremely short dwell times, sometimes as brief as 55 minutes from access to encryption. The campaign is affecting various industries and organization sizes, suggesting opportunistic mass exploitation. Key recommendations include resetting SSL VPN and Active Directory credentials, implementing SonicWall's security measures, blocking VPN access from suspicious IPs and ASNs, updating to SonicOS 7.3.0, and deploying additional security monitoring tools.

OPENCTI LABELS :

cve-2023-20269,ssl vpn,rapid exploitation,infrastructure rotation,akira,cve-2024-40766,ransomware,cve-2020-3259,credential theft,sonicwall


AI COMMENTARY :

1. Introduction to the Akira Ransomware Campaign

The recent update on the ongoing Akira ransomware campaign reveals a significant surge in activity against SonicWall SSL VPN accounts since July 2025. Threat actors behind Akira have leveraged previously exfiltrated credentials, including those protected by One-Time Password (OTP) multi-factor authentication, to gain unauthorized access. New malicious infrastructure was observed as recently as September 20, reflecting the adversaries’ commitment to maintaining and rotating attack assets in a cve-2023-20269 and cve-2020-3259 landscape.

2. Campaign Evolution and Infrastructure Rotation

The operators orchestrating the Akira campaign demonstrate a pattern of rapid exploitation and infrastructure rotation. The shift to new command-and-control nodes and encryption servers underscores their offensive agility. Observations indicate that compromised credential pairs, likely stolen during earlier CVE-2024-40766 exploits, are reused across multiple target environments. This approach enables a continuous cycle of intrusion and encryption operations, with threat actors rarely remaining in a network long enough to be detected by traditional security monitoring.

3. Technical Tactics: Rapid Exploitation and Credential Theft

One hallmark of the Akira ransomware is its ability to move from initial access to file encryption in under 55 minutes. By exploiting vulnerabilities in SonicWall SSL VPN and Active Directory, the attackers bypass security controls and harvest credentials at scale. The campaign’s rapid exploitation phase leverages cve-2024-40766 to bypass OTP MFA and then escalates privileges to deploy the ransomware payload. Once within the environment, the adversaries leverage legitimate administrative tools to expedite credential theft and lateral movement, minimizing the time window for detection or response.

4. Impact Across Industries and Organization Sizes

The Akira campaign has struck a diverse range of industries, from healthcare and finance to manufacturing and professional services. Both small enterprises and large corporations have reported encryption of critical data repositories and extortion demands. The widespread nature of the attack indicates an opportunistic mass exploitation strategy rather than a targeted, industry-specific assault. This breadth of impact highlights the criticality of securing SSL VPN endpoints and monitoring for anomalous sign-on activities across all sectors.

5. Key Mitigations and Security Recommendations

To defend against the Akira ransomware campaign, organizations must reset all SonicWall SSL VPN and Active Directory credentials, ensuring that compromised credentials can no longer be weaponized. Implementing SonicWall’s recommended security hardening measures, updating to SonicOS 7.3.0, and blocking VPN access from suspicious IP ranges and ASNs are essential steps. Additionally, deploying endpoint detection and response (EDR), security information and event management (SIEM) tools, and network traffic analysis solutions will improve visibility and detection of rapid exploitation behaviors.

6. Conclusion: Proactive Defense in the Face of Akira Threats

The evolving Akira ransomware campaign underscores the importance of proactive threat intelligence and continuous security monitoring. With infrastructure rotation and rapid exploitation at its core, this adversary group will persist in seeking vulnerable SSL VPN endpoints and credential theft opportunities. By applying the recommended mitigations and maintaining vigilant threat hunting practices, organizations can reduce their risk exposure and respond swiftly to any signs of Akira-related activities.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Update on Ongoing Akira Ransomware Campaign