Since late July 2025, Arctic Wolf has tracked an increase in Akira ransomware activity targeting SonicWall SSL VPN accounts. This campaign remains active and continues to evolve, with new infrastructure tied to it observed as recently as September 20, 2025.
Threat actors affiliated with Akira ransomware have been known to target VPN infrastructure as an initial access vector in previous campaigns against other firewall devices, and has exploited vulnerabilities such as CVE-2023-20269 in Cisco ASA and CVE-2020-3259 in Cisco AnyConnect.
These are the key elements of the latest Akira ransomware campaign targeting SonicWall devices:
- Credential Use: Threat actors are accessing SSL VPN accounts through credentials likely to have been previously exfiltrated with CVE-2024-40766, including accounts with OTP MFA enabled.
- Extraordinarily short dwell time: In dozens of recent intrusions, attackers moved from credential access to lateral movement, exfiltration, and encryption in under four hours—with some as fast as 55 minutes.
- Infrastructure changes: Threat actors are rotating VPS-based client infrastructure, attempting to evade detection.
- Widespread impact: Victims span multiple industries and organization sizes, indicating opportunistic mass exploitation rather than targeted intrusions.
SonicWall has indicated that this campaign is likely related to past exploitation of CVE-2024-40766. From this perspective, devices that would have previously run firmware versions vulnerable to the vulnerability may have been silently exploited, with follow-on credential use taking place at a later time. Arctic Wolf has detection coverage through our Managed Detection and Response Platform for key aspects of this campaign, including tracking of hosting-related VPN logins and Impacket SMB activity.
Additionally, SonicWall recently disclosed an incident involving the MySonicWall cloud backup service. While SonicWall has stated the incident was not a ransomware event, the full extent of this breach may not yet be fully known. At this time, there is no evidence linking the MySonicWall cloud backup file incident to the Akira ransomware campaign described here.
Arctic Wolf will continue to publish updates as this campaign evolves. A full threat research blog with additional technical details will be published today, and will be available from the following page: https://arcticwolf.com/resources/tag/threat-research/
Recommendations
Reset SSL VPN and Active Directory Credentials
If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets. This includes both local firewall accounts and LDAP-synchronized Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle.
Resetting LDAP synchronization accounts is especially critical, as we have observed logins against these accounts despite them not being intended for VPN access.
Review and Implement SonicWall’s Recommendations
In addition to resetting credentials, SonicWall has provided specific recommendations to customers who have imported configurations from Gen 6 to newer firewalls:
- Update to the latest firmware version 7.3.0 by following the firmware update guide.
- Enable Security Services: Ensure services such as Botnet Protection are active. These services help detect threat actors known to target SSLVPN endpoints.
- Enforce Multi-Factor Authentication (MFA): MFA should be enabled for all remote access to reduce the risk of credential abuse.
- Remove Unused Accounts: Delete any inactive or unused local firewall user accounts, particularly those with SSLVPN access.
- Practice Good Password Hygiene: Encourage periodic password updates across all user accounts.
SonicWall will continue to update their product notice page with further developments in this campaign.
Block VPN Access to Malicious IPs and Hosting-Related ASNs
Initial access in this campaign is predominately tied to logins from VPS hosting providers. Legitimate business VPN logins typically originate from broadband or SD-WAN providers, not VPS hosting infrastructure. Arctic Wolf is monitoring for new logins from a selection of network providers associated with this campaign.
Where possible, these IP addresses and ASNs can be blocked outright at the firewall level for SSL VPN logins on SonicWall or other firewall devices.
Below is an updated table of infrastructure associated with this campaign. Blocking VPN logins from these client IP addresses and ASNs reduces exposure to opportunistic exploitation, regardless of the firewall model being targeted.
| Indicator | ASN | Type | Description |
| 155.117.117[.]34 | AS215703 – ALEXANDRU VLAD trading as FREAKHOSTING | IPv4 Address | VPN Client IP |
| 45.66.249[.]93 | AS62005 – Bluevps Ou | IPv4 Address | VPN Client IP |
| 193.239.236[.]149 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 193.163.194[.]7 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 194.33.45[.194 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 31.222.247[.]64 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 62.76.147[.]106 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 77.247.126[.]239 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 83.229.17[.]123 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 83.229.17[.]135 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 83.229.17[.]148 | AS62240 – Clouvider Limited | IPv4 Address | VPN Client IP |
| 45.55.76[.]210 | AS14061 – Digitalocean Llc | IPv4 Address | VPN Client IP |
| 38.114.123[.]167 | AS63023 – Gthost | IPv4 Address | VPN Client IP |
| 38.114.123[.]229 | AS63023 – Gthost | IPv4 Address | VPN Client IP |
| 107.155.93[.]154 | AS29802 – Hivelocity Inc. | IPv4 Address | VPN Client IP |
| 144.168.41[.]74 | AS29802 – Hivelocity Inc. | IPv4 Address | VPN Client IP |
| 91.191.214[.]170 | AS29802 – Hivelocity Inc. | IPv4 Address | VPN Client IP |
| 193.29.63[.]226 | AS63473 – Hosthatch Llc | IPv4 Address | VPN Client IP |
| 23.94.54[.]125 | AS36352 – Hostpapa | IPv4 Address | VPN Client IP |
| 185.33.86[.]2 | AS202015 – Hz Hosting Ltd | IPv4 Address | VPN Client IP |
| 79.141.160[.]33 | AS202015 – Hz Hosting Ltd | IPv4 Address | VPN Client IP |
| 79.141.173[.]235 | AS202015 – Hz Hosting Ltd | IPv4 Address | VPN Client IP |
| 185.181.230[.]108 | AS60602 – Inovare-Prim Srl | IPv4 Address | VPN Client IP |
| 207.188.6[.]17 | AS396356 – Latitude.Sh | IPv4 Address | VPN Client IP |
| 107.175.102[.]58 | AS131199 – Nexeon Technologies Inc. | IPv4 Address | VPN Client IP |
| 185.174.100[.]199 | AS8100 – Quadranet Enterprises Llc | IPv4 Address | VPN Client IP |
| 45.56.163[.]58 | AS8100 – Quadranet Enterprises Llc | IPv4 Address | VPN Client IP |
| 104.194.11[.]34 | AS23470 – Reliablesite.Net Llc | IPv4 Address | VPN Client IP |
| 104.194.8[.]58 | AS23470 – Reliablesite.Net Llc | IPv4 Address | VPN Client IP |
| 104.238.205[.]105 | AS23470 – Reliablesite.Net Llc | IPv4 Address | VPN Client IP |
| 172.86.96[.]42 | AS14956 – Routerhosting Llc | IPv4 Address | VPN Client IP |
| 144.172.110[.]103 | AS14956 – RouterHosting LLC | IPv4 Address | VPN Client IP |
| 144.172.110[.]37 | AS14956 – RouterHosting LLC | IPv4 Address | VPN Client IP |
| 144.172.110[.]49 | AS14956 – RouterHosting LLC | IPv4 Address | VPN Client IP |
| 185.168.208[.]102 | AS21249 – GLOBAL CONNECTIVITY SOLUTIONS LLP | IPv4 Address | VPN Client IP |
| 172.96.10[.]212 | AS64236 – Unreal Servers Llc | IPv4 Address | VPN Client IP |
| 107.158.128[.]106 | AS62904 – Eonix Corporation | IPv4 Address | VPN Client IP |
| 170.130.165[.]42 | AS62904 – Eonix Corporation | IPv4 Address | Command and Control |
| 131.226.2[.]47 | AS40676 – Psychz Networks | IPv4 Address | VPN Client IP |
| 193.242.184[.]58 | AS215381 – ROCKHOSTER PRIVATE LIMITED | IPv4 Address | VPN Client IP |
| 95.164.145[.]158 | AS394814 – ISP4Life INC | IPv4 Address | VPN Client IP |
| 162.210.196[.]101 | AS30633 – Leaseweb Usa Inc. | IPv4 Address | Exfiltration |
| 206.168.190[.]143 | AS14315 – 1gservers Llc | IPv4 Address | Exfiltration |
Update to SonicOS 7.3.0 and Follow SonicWall Guidance
While intrusions have been observed against even the latest firmware, SonicWall has introduced brute-force and MFA hardening in SonicOS 7.3.0. Updating remains a best practice and aligns with SonicWall’s most recent guidance.
Where possible, enforce MFA for all remote access, remove unused accounts, and ensure that security services like Botnet Protection are active.
Deploy Arctic Wolf Agent & Sysmon
The Arctic Wolf Agent with Sysmon provides the endpoint and network visibility required to detect lateral movement, credential access, and ransomware staging activities. If not already deployed, we strongly recommend doing so across all domain controllers, file servers, and internet-facing systems.
- For instructions on how to install Arctic Wolf Agent, see the below install guides:
- If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
Configure SonicWall Integration with Arctic Wolf MDR
To provide early visibility and alerting for the threats described in this bulletin, Arctic Wolf customers can enable SonicWall log monitoring through the Managed Detection and Response service. To configure this integration, see the following documentation page: https://docs.arcticwolf.com/bundle/m_syslog/page/configure_sonicwall_to_send_logs_to_arctic_wolf.html
