The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The attacks are characterized by extremely short dwell times, sometimes as brief as 55 minutes from access to encryption. The campaign is affecting various industries and organization sizes, suggesting opportunistic mass exploitation. Key recommendations include resetting SSL VPN and Active Directory credentials, implementing SonicWall's security measures, blocking VPN access from suspicious IPs and ASNs, updating to SonicOS 7.3.0, and deploying additional security monitoring tools.