Fast Facts

• Akira ransomware actors are actively targeting SonicWall SSL VPNs using a critical flaw (CVE-2024-40766) and misconfigurations.
• This vulnerability allows attackers to bypass security controls and gain privileged access to corporate networks.
• Akira has claimed nearly a thousand victims since its emergence in 2023, with manufacturing and transportation sectors especially hard-hit.
• Attackers use a mix of brute-force attacks, credential theft, and malware loaders like Bumblebee and AdaptixC2.
• Experts urge organizations to reset passwords, tighten account policies, and restrict remote access to prevent compromise.

The Flaw That Opened the Door

Imagine locking your front door, only to discover a hidden passage left open during renovations. That’s the scenario thousands of organizations face with SonicWall’s SSL VPN firewalls. A year-old vulnerability - CVE-2024-40766 - meant that when these devices were upgraded, passwords for local users weren’t reset. This “carryover” left a backdoor, ready for anyone with the right (or stolen) keys.

The Akira ransomware gang, ever watchful for soft targets, pounced. According to cybersecurity firm Rapid7, a surge in attacks began after new Akira activity was spotted in late July 2025. SonicWall confirmed that malicious actors are hammering away at user credentials, often using automated brute-force attacks - think of a robot endlessly guessing passwords until it hits the jackpot.

Misconfigurations: The Silent Accomplices

But it’s not just the flaw itself - missteps in configuration play a huge role. One critical setting, the LDAP SSL VPN Default User Group, can automatically grant broad network access to anyone who logs in, regardless of their real role. If a cybercriminal compromises even a low-level account, this misconfiguration turns a minor breach into a full-blown invasion, bypassing intended security barriers.

Adding to the chaos, the SonicWall Virtual Office Portal, if left open to the internet, can let attackers set up their own two-factor authentication if they’ve already stolen credentials, making it even harder to kick them out.

Akira’s Playbook: From Phishing to Ransom

Akira isn’t just relying on one trick. Their attacks often start with phishing (deceptive emails or calls) or SEO poisoning - rigging search results so IT staff download malware disguised as useful tools. Once inside, they deploy the Bumblebee loader to launch AdaptixC2, an open-source framework that lets them control compromised systems, steal data, and install persistent access tools like RustDesk.

From there, the script is chillingly familiar: escalate privileges, hunt for sensitive files, delete backups, and finally encrypt everything - demanding a ransom to restore access. According to reports from Dragos and Palo Alto Networks, Akira’s methods are modular and adaptable, making them a nightmare to predict or contain.

The Big Picture: Lessons Not Yet Learned

Akira’s campaign against SonicWall devices is only the latest chapter in an escalating ransomware arms race. Similar flaws in VPNs have been exploited before - by REvil in 2021, and by LockBit in 2022 - highlighting a persistent market appetite for remote access, and the risks when convenience trumps vigilance. The Australian Cyber Security Centre and global experts are sounding the alarm, but many organizations, especially in manufacturing and transport, remain in the crosshairs due to legacy systems and lax configurations.

While Akira may be one of many ransomware groups, their ongoing spree underscores a hard truth: in cybersecurity, yesterday’s oversight is tomorrow’s crisis. Organizations must not only patch vulnerabilities, but also audit their digital “blueprints” for hidden passages - before someone else finds them first.

WIKICROOK

• SSL VPN: An SSL VPN lets remote users securely access a company network over the internet using encryption to protect data during transmission.
• Brute: A brute-force attack is an automated hacking method where attackers try many passwords or keys until they find the correct one to gain unauthorized access.
• LDAP: LDAP is a protocol that manages user information and permissions, enabling secure login and access control in many corporate systems.
• Bumblebee loader: Bumblebee loader is malware that enables cybercriminals to deliver and install other harmful software on a victim’s computer, facilitating attacks.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.