SonicWall Firewalls Under Attack! Inside the Akira Ransomware Surge

By /

If you’re using a SonicWall firewall to protect your network, now’s the time to pay close attention.

A recent surge in Akira ransomware attacks has been targeting SonicWall SSL VPN devices, and cybersecurity researchers are raising serious concerns. The attack pattern is fast, silent, and potentially devastating for businesses that haven’t patched their systems or hardened their remote access settings.

So what’s going on—and how can you protect yourself? Let’s break it down.

1. What Is Akira Ransomware?

Akira is a type of ransomware that first appeared in March 2023. Since then, it’s become one of the most active ransomware strains out there, reportedly earning over $42 million in ransom payments from more than 250 victims, according to a joint advisory by the FBI and CISA.

Akira follows a classic double-extortion model. It doesn’t just encrypt your files—it also steals sensitive data and threatens to leak it if you don’t pay. Victims have included schools, manufacturers, healthcare companies, and even local governments.

2. Why SonicWall Devices Are Being Targeted

In mid-July 2025, Arctic Wolf Labs, Critical Path Security, and others began reporting a sharp rise in Akira attacks specifically targeting SonicWall SSL VPNs.

Most of these breaches involve devices that:

  • Do not use Multi-Factor Authentication (MFA)
  • Are running older or unpatched firmware
  • Are remotely accessible via SSL VPN without strong access controls

According to Arctic Wolf, attackers are likely abusing a zero-day vulnerability—one that had no patch at the time of discovery—in SonicWall’s firewall operating system, SonicOS. This vulnerability is now tracked as CVE‑2024‑40766 and has since been patched.

But during the attack wave, many organizations were still running the following vulnerable versions:

  • Gen 5: SonicOS ≤ 5.9.2.14-12o
  • Gen 6: SonicOS ≤ 6.5.4.14-109n
  • Gen 7: SonicOS ≤ 7.0.1-5035

These models were especially exposed when administrators failed to enable MFA for VPN logins.

3. How Akira Gets In

Attackers use SonicWall’s SSL VPN interface to gain access—often with stolen or weak credentials. Once inside, they move quickly:

  1. Disable security tools.
  2. Spread laterally across the network.
  3. Encrypt critical systems (backups, virtual machines, databases).
  4. Exfiltrate sensitive data.
  5. Leave behind a ransom note demanding payment in cryptocurrency.

In many cases, the attack is complete within a few hours, making early detection and response incredibly difficult.

Cybersecurity firms like Critical Path Security noted that most attacks come from IP addresses belonging to cloud-hosting providers, not regular internet service providers—another red flag for defenders to watch out for.

4. Why This Spike Is Different

This isn’t just another ransomware case.

Security teams reported a sudden spike in activity starting mid-July 2025, all pointing toward SonicWall SSL VPNs. The speed, consistency, and choice of entry point have led multiple researchers to believe that a zero-day exploit was used before the patch became public.

Although SonicWall released firmware updates and published security advisories, many organizations hadn’t applied them in time—and paid the price.

5. Who Is at Risk?

You’re at high risk if:

  • You use SonicWall Gen 5, 6, or early Gen 7 devices.
  • You haven’t updated your firewall firmware in the last few weeks.
  • You don’t have MFA enabled for remote access.
  • Your SSL VPN is accessible from anywhere without IP restrictions.

This includes schools, small businesses, managed service providers (MSPs), and even some government offices.

6. What You Should Do Right Now

Here are actionable steps you can take immediately to reduce risk:

  • 🔄 Update your SonicWall firmware to the latest version. Patches addressing CVE‑2024‑40766 are available.
  • 🔐 Enforce MFA on all remote and VPN accounts—no exceptions.
  • 🛑 Disable SSL VPN if you’re not actively using it.
  • 🌐 Restrict remote access to known IP ranges or internal management networks.
  • 🧠 Review login logs for any suspicious or unknown VPN logins.
  • 💾 Ensure you have offline backups that can’t be reached through the VPN.
  • 👀 Monitor traffic and endpoint activity using SIEM or EDR tools.
  • 🚧 Segment critical systems from general network traffic.

As Arctic Wolf noted, once Akira gets in, you may only have minutes before systems are locked. Prevention is truly your best defense here.

7. SonicWall’s Response

SonicWall has acknowledged the issue and released security advisories and firmware updates to patch the affected SonicOS versions. Admins are strongly advised to follow SonicWall’s best practices, including enabling MFA and restricting VPN access.

🔗 SonicWall Security Advisories

8. Final Thoughts

The recent wave of Akira ransomware attacks is a wake-up call for anyone relying on SonicWall devices—especially older models that haven’t been patched or hardened properly.

This isn’t just about tech. It’s about business continuity, data privacy, and trust.

So don’t wait for a ransom note to appear on your screen. Patch now. Secure now. Stay ahead.

Related Posts

Scroll to Top