Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN

In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access.
6 min read

Update 9/22/25: The indicators of compromise (IoCs) table has been updated to include new ASNs and IP addresses identified across dozens of cases related to this threat campaign.

Update 8/7/25: As of August 6, 2025, SonicWall has issued an updated product notice suggesting that the activity in this campaign may be tied to CVE-2024-40766, a vulnerability originally disclosed in August 2024. This is a developing situation.

In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access. In the incidents reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSLVPNs.

The initial access methods have not yet been definitively confirmed in this campaign. While the existence of a zero-day vulnerability was initially deemed to be highly plausible by Arctic Wolf, SonicWall’s updated product notice suggests the possible exploitation of CVE-2024-40766, a previously disclosed vulnerability from August 2024.

Arctic Wolf Labs is currently conducting research into this campaign and will share additional details as they become available. In the meantime, SonicWall’s updated guidance offers reasonable best practices that reduce the likelihood of malicious activity. We are working closely with SonicWall to keep customers protected.

Akira Ransomware

The most recent uptick in ransomware activity involving SonicWall SSLVPNs began as early as July 22, 2025, although similar malicious VPN logins have been observed to some extent since at least October 2024. Similar to the ransomware activity described in our earlier research, a short interval was observed between initial SSLVPN account access and ransomware encryption.

In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.

Recommendations

Disable SonicWall SSLVPN Where Practical

In light of the fact that this is a developing situation, disabling SSLVPN remains the most reliable option for eliminating risk tied to this campaign.

  • If SonicWall SSLVPN is not used operationally in your environment, consider disabling it altogether to reduce the risk of exploitation.
  • If SonicWall SSLVPN is used in your environment and can’t be disabled for operational reasons:
    • Consider rotating the credentials of all VPN and local firewall accounts (especially administrator accounts), as well as updating to the latest available versions of SonicOS as directed in the advisory for CVE-2024-40766.
      • Note: Rotating local credentials was recommended as part of SonicWall’s advisory for CVE-2024-40766, and is strongly recommended where firewall devices previously ran a vulnerable version at any time.
    • Active Directory (AD) credentials of users with VPN access may be rotated as an added precaution, considering that compromised firewall administrator accounts may have had the ability to extract credentials via LDAP depending on several factors. Consider at a bare minimum rotating credentials of the LDAP service account used to synchronize SonicWall devices with Active Directory.
    • Additionally, to make use of brute force mitigation features provided by SonicWall, update to SonicOS version 7.3.0.

Arctic Wolf will continue to alert Managed Detection and Response customers on potentially suspicious instances of SSLVPN logins.

Review and Implement SonicWall’s Recommendations

In the updated guidance made by SonicWall, customers who have imported configurations from Gen 6 to newer firewalls are recommended to:

  • Update to the latest firmware version 7.3.0 by following the firmware update guide.
  • Rotate credentials on all user accounts with SSLVPN access, especially if they were carried over during migration from Gen 6 to Gen 7.
    • Note: While SonicWall’s guidance emphasizes local firewall accounts, credentials of AD accounts with SSLVPN access may be rotated as an added precaution.
  • Enable Security Services: Ensure services such as Botnet Protectionare active. These services help detect threat actors known to target SSLVPN endpoints.
  • Enforce Multi-Factor Authentication (MFA): MFA should be enabled for all remote access to reduce the risk of credential abuse.
  • Remove Unused Accounts: Delete any inactive or unused local firewall user accounts, particularly those with SSLVPN access.
  • Practice Good Password Hygiene: Encourage periodic password updates across all user accounts.

SonicWall will continue to update their product notice page with further developments in this campaign.

Configure SonicWall Integration with Arctic Wolf MDR

To provide as early visibility and alerting for the threats described in this bulletin, Arctic Wolf customers can enable SonicWall log monitoring through the Managed Detection and Response service. To configure this integration, see the following documentation page: https://docs.arcticwolf.com/bundle/m_syslog/page/configure_sonicwall_to_send_logs_to_arctic_wolf.html

Install Arctic Wolf Agent & Sysmon

Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.

Block VPN Authentication from Hosting-Related ASNs

To reduce exposure to malicious VPN activity associated with this campaign, review the listed hosting-related ASNs and consider blocking their corresponding CIDR ranges for VPN authentication.

Note: The networks described below are not inherently malicious, but when used to authenticate against VPNs, matching network activity may be considered suspicious under some circumstances. Blocking all traffic from these ASNs without limiting to VPN authentication is likely to cause operational disruption. Additionally, please note that these ASNs may include IP addresses associated with privacy VPN providers.

Indicator ASN Type Description
155.117.117[.]34 AS215703 – ALEXANDRU VLAD trading as FREAKHOSTING IPv4 Address VPN Client IP
45.66.249[.]93 AS62005 – Bluevps Ou IPv4 Address VPN Client IP
193.239.236[.]149 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
193.163.194[.]7 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
194.33.45[.194 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
31.222.247[.]64 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
62.76.147[.]106 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
77.247.126[.]239 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
83.229.17[.]123 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
83.229.17[.]135 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
83.229.17[.]148 AS62240 – Clouvider Limited IPv4 Address VPN Client IP
45.55.76[.]210 AS14061 – Digitalocean  Llc IPv4 Address VPN Client IP
38.114.123[.]167 AS63023 – Gthost IPv4 Address VPN Client IP
38.114.123[.]229 AS63023 – Gthost IPv4 Address VPN Client IP
107.155.93[.]154 AS29802 – Hivelocity  Inc. IPv4 Address VPN Client IP
144.168.41[.]74 AS29802 – Hivelocity  Inc. IPv4 Address VPN Client IP
91.191.214[.]170 AS29802 – Hivelocity  Inc. IPv4 Address VPN Client IP
193.29.63[.]226 AS63473 – Hosthatch  Llc IPv4 Address VPN Client IP
23.94.54[.]125 AS36352 – Hostpapa IPv4 Address VPN Client IP
185.33.86[.]2 AS202015 – Hz Hosting Ltd IPv4 Address VPN Client IP
79.141.160[.]33 AS202015 – Hz Hosting Ltd IPv4 Address VPN Client IP
79.141.173[.]235 AS202015 – Hz Hosting Ltd IPv4 Address VPN Client IP
185.181.230[.]108 AS60602 – Inovare-Prim Srl IPv4 Address VPN Client IP
207.188.6[.]17 AS396356 – Latitude.Sh IPv4 Address VPN Client IP
107.175.102[.]58 AS131199 – Nexeon Technologies  Inc. IPv4 Address VPN Client IP
185.174.100[.]199 AS8100 – Quadranet Enterprises Llc IPv4 Address VPN Client IP
45.56.163[.]58 AS8100 – Quadranet Enterprises Llc IPv4 Address VPN Client IP
104.194.11[.]34 AS23470 – Reliablesite.Net Llc IPv4 Address VPN Client IP
104.194.8[.]58 AS23470 – Reliablesite.Net Llc IPv4 Address VPN Client IP
104.238.205[.]105 AS23470 – Reliablesite.Net Llc IPv4 Address VPN Client IP
172.86.96[.]42 AS14956 – Routerhosting Llc IPv4 Address VPN Client IP
144.172.110[.]103 AS14956 – RouterHosting LLC IPv4 Address VPN Client IP
144.172.110[.]37 AS14956 – RouterHosting LLC IPv4 Address VPN Client IP
144.172.110[.]49 AS14956 – RouterHosting LLC IPv4 Address VPN Client IP
185.168.208[.]102 AS21249 – GLOBAL CONNECTIVITY SOLUTIONS LLP IPv4 Address VPN Client IP
172.96.10[.]212 AS64236 – Unreal Servers  Llc IPv4 Address VPN Client IP
107.158.128[.]106 AS62904 – Eonix Corporation IPv4 Address VPN Client IP
170.130.165[.]42 AS62904 – Eonix Corporation IPv4 Address Command and Control
162.210.196[.]101 AS30633 – Leaseweb Usa  Inc. IPv4 Address Exfiltration
206.168.190[.]143 AS14315 – 1gservers  Llc IPv4 Address Exfiltration

 

Note: Some additional IOCs provided in our October 2024 research may still be valid, but have not yet been observed in the most recent cluster of malicious activity.

Resources

Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.

Share this post: