CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. SonicOS firmware versions 6.5.5.1-6n, 7.0.1-5065, 7.0.1-5119, 7.1.2-7019, 7.1.3-7015, and 7.3.0-7012 are vulnerable, as well as hardware models NSa 2600, NSa 2700, NSa 4650, NSa 5700, TZ370, and TZ470. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use.

Timeline

  1. 11.09.2025 13:33 3 articles · 18d ago

    Akira Exploits SonicWall Vulnerabilities and Misconfigurations

    The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations. Akira ransomware exploits broad access permissions of the Default Users Group and default public access permissions for the Virtual Office Portal on SonicWall devices. SonicWall recommends updating to firmware version 7.3.0 or later, rotating account passwords, enforcing multi-factor authentication (MFA), and mitigating SSLVPN Default Groups risk. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules.

    Show sources
    Open in new tab
  2. 28.08.2025 21:49 5 articles · 1mo ago

    Akira and Cl0p Lead Ransomware Attacks in 2025

    The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

Akira Ransomware Group Disables KNP Logistics Group with Weak Password Exploit

The Akira ransomware group successfully breached KNP Logistics Group (formerly Knights of Old) in June 2025. The attackers exploited a weak employee password to gain access to the company's internet-facing systems. Once inside, they deployed ransomware, encrypted critical data, and destroyed backups, leading to the company's collapse. The incident resulted in the loss of 700 jobs and significant economic impact in Northamptonshire. The attack underscores the critical importance of strong password policies and multi-factor authentication (MFA) in preventing ransomware attacks. The breach highlights the persistent risk posed by weak passwords, with 45% of compromised passwords crackable within a minute. The attack also demonstrates the broader consequences of ransomware attacks, including job losses and economic disruption.

Open in new tab

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Open in new tab