Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN

Update 9/22/25: The indicators of compromise (IoCs) table has been updated to include new ASNs and IP addresses identified across dozens of cases related to this threat campaign.

Update 8/7/25: As of August 6, 2025, SonicWall has issued an updated product notice suggesting that the activity in this campaign may be tied to CVE-2024-40766, a vulnerability originally disclosed in August 2024. This is a developing situation.

In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access. In the incidents reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSLVPNs.

The initial access methods have not yet been definitively confirmed in this campaign. While the existence of a zero-day vulnerability was initially deemed to be highly plausible by Arctic Wolf, SonicWall’s updated product notice suggests the possible exploitation of CVE-2024-40766, a previously disclosed vulnerability from August 2024.

Arctic Wolf Labs is currently conducting research into this campaign and will share additional details as they become available. In the meantime, SonicWall’s updated guidance offers reasonable best practices that reduce the likelihood of malicious activity. We are working closely with SonicWall to keep customers protected.

Akira Ransomware

The most recent uptick in ransomware activity involving SonicWall SSLVPNs began as early as July 22, 2025, although similar malicious VPN logins have been observed to some extent since at least October 2024. Similar to the ransomware activity described in our earlier research, a short interval was observed between initial SSLVPN account access and ransomware encryption.

In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.

Recommendations

Disable SonicWall SSLVPN Where Practical

In light of the fact that this is a developing situation, disabling SSLVPN remains the most reliable option for eliminating risk tied to this campaign.

• If SonicWall SSLVPN is not used operationally in your environment, consider disabling it altogether to reduce the risk of exploitation.
• If SonicWall SSLVPN is used in your environment and can’t be disabled for operational reasons:
  • Consider rotating the credentials of all VPN and local firewall accounts (especially administrator accounts), as well as updating to the latest available versions of SonicOS as directed in the advisory for CVE-2024-40766.
    • Note: Rotating local credentials was recommended as part of SonicWall’s advisory for CVE-2024-40766, and is strongly recommended where firewall devices previously ran a vulnerable version at any time.
  • Active Directory (AD) credentials of users with VPN access may be rotated as an added precaution, considering that compromised firewall administrator accounts may have had the ability to extract credentials via LDAP depending on several factors. Consider at a bare minimum rotating credentials of the LDAP service account used to synchronize SonicWall devices with Active Directory.
  • Additionally, to make use of brute force mitigation features provided by SonicWall, update to SonicOS version 7.3.0.

Arctic Wolf will continue to alert Managed Detection and Response customers on potentially suspicious instances of SSLVPN logins.

Review and Implement SonicWall’s Recommendations

In the updated guidance made by SonicWall, customers who have imported configurations from Gen 6 to newer firewalls are recommended to:

• Update to the latest firmware version 7.3.0 by following the firmware update guide.
• Rotate credentials on all user accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
  • Note: While SonicWall’s guidance emphasizes local firewall accounts, credentials of AD accounts with SSLVPN access may be rotated as an added precaution.
• Enable Security Services: Ensure services such as Botnet Protectionare active. These services help detect threat actors known to target SSLVPN endpoints.
• Enforce Multi-Factor Authentication (MFA): MFA should be enabled for all remote access to reduce the risk of credential abuse.
• Remove Unused Accounts: Delete any inactive or unused local firewall user accounts, particularly those with SSLVPN access.
• Practice Good Password Hygiene: Encourage periodic password updates across all user accounts.

SonicWall will continue to update their product notice page with further developments in this campaign.

Configure SonicWall Integration with Arctic Wolf MDR

To provide as early visibility and alerting for the threats described in this bulletin, Arctic Wolf customers can enable SonicWall log monitoring through the Managed Detection and Response service. To configure this integration, see the following documentation page: https://docs.arcticwolf.com/bundle/m_syslog/page/configure_sonicwall_to_send_logs_to_arctic_wolf.html

Install Arctic Wolf Agent & Sysmon

• Arctic Wolf Agent and Sysmon provide Arctic Wolf with visibility into events needed to identify tools, techniques, and tactics involved in this campaign.
• For instructions on how to install Arctic Wolf Agent, see the below install guides:
  • Agent Installation on Windows
  • Agent Installation on Linux
  • Sysmon Installation on Windows
• If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
  • Endpoint Detection and Response Integrations

Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.

Block VPN Authentication from Hosting-Related ASNs

To reduce exposure to malicious VPN activity associated with this campaign, review the listed hosting-related ASNs and consider blocking their corresponding CIDR ranges for VPN authentication.

Note: The networks described below are not inherently malicious, but when used to authenticate against VPNs, matching network activity may be considered suspicious under some circumstances. Blocking all traffic from these ASNs without limiting to VPN authentication is likely to cause operational disruption. Additionally, please note that these ASNs may include IP addresses associated with privacy VPN providers.

Note: Some additional IOCs provided in our October 2024 research may still be valid, but have not yet been observed in the most recent cluster of malicious activity.

Resources

Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report. 

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.