Alarming Rise in Akira Ransomware Attacks Since July 2025
Alarming rise in Akira ransomware attacks since July 2025 has security experts on high alert. Organizations across various sectors and sizes are falling victim to these opportunistic strikes, which occur within hours of initial access to their systems.
The Akira affiliates, linked to the Akira ransomware-as-a-service outfit, are exploiting a critical flaw in SonicWall devices (CVE-2024-40766) to gain unauthorized access to systems. They've been active since late July, targeting diverse industries and organization sizes. Once they gain access, they can deploy ransomware in a mere four hours or less.
Attackers are capitalizing on additional weaknesses, such as misconfigured SonicWall SSLVPN Default Users Group settings and accessible Virtual Office Portals. They're also exploiting pre-existing credentials, bypassing multi-factor authentication. Some organizations, despite patching or upgrading, have not rotated local user passwords, allowing attackers to reuse credentials and gain further access.
Security experts advise monitoring for logins from VPS hosting providers, unusual SMB activity, and network scanning or archival tools running from odd server locations. Early detection and swift response are crucial due to the short window between initial access and ransomware deployment.
SonicWall device users are urged to reset all credentials, including SSL VPN passwords and OTP MFA secrets, especially for accounts with SSL VPN access. Organizations must remain vigilant, monitor for suspicious activities, and promptly address any security gaps to mitigate the risk of falling prey to Akira ransomware attacks.
