Increase in Akira Ransomware Groups Focusing on SonicWall Virtual Private Networks
Ransomware Threat Targets SonicWall SSL VPNs: Arctic Wolf Issues Warning
In a recent development, network edge devices, including VPNs, firewalls, and routers, have become popular targets for ransomware actors. This is due to their public internet connection and access to sensitive corporate resources.
Security company, Arctic Wolf, has issued a series of recommendations to mitigate the risk. One of the key measures is enforcing multi-factor authentication (MFA) for all remote access. This is aimed at reducing the risk of credential abuse.
Arctic Wolf also encourages practicing good password hygiene, including periodic password updates. They advise removing unused or inactive local firewall user accounts with SSL VPN access.
The concern revolves around a potential zero-day vulnerability in SonicWall SSL VPNs. SonicWall is actively investigating a recent increase in reported cyber incidents involving Gen 7 firewalls with SSLVPN enabled. The available evidence suggests the existence of such a vulnerability.
Threat actors have been able to achieve VPN access through SonicWall SSL VPNs, leading to a short interval between VPN access and ransomware encryption. Arctic Wolf observed multiple pre-ransomware intrusions in late July, with the observed intrusions targeting SonicWall devices.
The security company, CrowdStrike, reported many alleged ransomware intrusions in a security advisory on Friday, July 15, 2025. No definitive evidence has been found that credential access was gained through brute force, dictionary attacks, or credential stuffing in all cases.
Ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments. Arctic Wolf suggests reviewing hosting-related ASNs and considering blocking their corresponding CIDR ranges for VPN authentication.
In light of these developments, Arctic Wolf urges SonicWall SSL VPN customers to consider disabling the service until a patch is deployed. They also recommend enabling security services such as botnet protection to help detect threat actors. Additionally, Arctic Wolf suggests enabling SonicWall log monitoring through their Managed Detection and Response service.
It's worth noting that legitimate VPN logins typically originate from networks operated by broadband internet service providers. However, this does not rule out the possibility of malicious logins, as observed by Arctic Wolf since October 2024, with an uptick in activity starting on July 15, 2025.
These devices often lack endpoint detection and response (EDR), creating a security blind spot for network defenders. As such, it is crucial for organisations to stay vigilant and follow best practices in securing their network edge devices.
