Update on Ongoing Akira Ransomware Campaign

Sept. 29, 2025, 9:22 a.m.

Description

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The attacks are characterized by extremely short dwell times, sometimes as brief as 55 minutes from access to encryption. The campaign is affecting various industries and organization sizes, suggesting opportunistic mass exploitation. Key recommendations include resetting SSL VPN and Active Directory credentials, implementing SonicWall's security measures, blocking VPN access from suspicious IPs and ASNs, updating to SonicOS 7.3.0, and deploying additional security monitoring tools.

Tags
ransomware
credential theft
akira
CVE-2024-40766
CVE-2023-20269
CVE-2020-3259
sonicwall
ssl vpn
2025-09-27
infrastructure rotation

Date

  • Created: Sept. 27, 2025, 2:35 a.m.
  • Published: Sept. 27, 2025, 2:35 a.m.
  • Modified: Sept. 29, 2025, 9:22 a.m.

Attack Patterns

  • Akira
  • Akira