Akira ransomware deployment on SonicWall SSL VPN devices
Malware Activity
Summary
Hide ▲
Show ▼
The Akira ransomware operation has used SonicWall SSL VPN compromise paths to deploy payloads quickly, increasing the risk of broad cross-sector impact. A Nov. 14 joint cybersecurity advisory from US government agencies and international partners says Akira also leveraged CVE-2024-40766 to gain access, while some incidents saw data exfiltration in just over two hours from initial access. The advisory adds that Akira has broadened its tradecraft to include Nutanix AHV VM disk encryption, alongside SSH, Veeam, AnyDesk, LogMeIn, Impacket, Ngrok, PowerShell, and WMIC.
Related Happenings
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware Activity
First: 13.03.2026 15:23
Last: 13.03.2026 15:23
Sources 1
About this happening:
A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware ActivityAbout this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data Leak
First: 29.01.2026 19:57
Last: 29.01.2026 19:57
Sources 1
How related:
"The breach, according to the latest update, affects all customers who have used SonicWall's cloud backup service.
About this happening:
**SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Data LeakHow related: "The breach, according to the latest update, affects all customers who have used SonicWall's cloud backup service.
About this happening: **SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...
Qilin, Akira and Sinobi late-2025 ransomware wave
Campaign
First: 29.01.2026 15:01
Last: 29.01.2026 15:01
Sources 1
About this happening:
A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Qilin, Akira and Sinobi late-2025 ransomware wave
CampaignAbout this happening: A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Timeline
-
29.09.2025 23:53 4 articles · 7mo ago
Arctic Wolf expands Akira campaign analysis against SonicWall SSL VPN customers
Technical Analysis UpdateArctic Wolf expanded its analysis of an ongoing Akira ransomware campaign against SonicWall SSL VPN customers, describing malicious SSL VPN logins that bypassed OTP Multi-Factor Authentication (MFA), followed within minutes by port scanning, Impacket SMB activity, and rapid ransomware deployment. The analysis said the campaign had been active since mid-July 2025, with similar malicious VPN logins traced back to last October, and that new infrastructure linked to the activity was observed as late as September 20, 2025. SonicWall guidance recommended updating firmware to version 7.3.0 and resetting SSL VPN passwords, while Arctic Wolf also advised monitoring for untrusted-hosting VPN logins, anomalous SMB activity, and MFA-related credential resets.
Show sources
- Akira Hits SonicWall VPNs in Broad Ransomware Campaign — www.darkreading.com — 29.09.2025 23:53
- Akira Hits SonicWall VPNs in Broad Ransomware Campaign — www.darkreading.com — 29.09.2025 23:53
- Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts — thehackernews.com — 11.10.2025 16:30
- Akira Ransomware Haul Surpasses $244M in Illicit Proceeds — www.infosecurity-magazine.com — 14.11.2025 13:13