Cybercriminals Target SonicWall Firewalls to Deploy Akira Ransomware via Malicious Login Attempts

Security teams face a rapidly evolving campaign that abuses compromised SonicWall SSL VPN credentials to deliver Akira ransomware in under four hours—dwell times among the shortest ever recorded for this type of threat.

Within minutes of successful authentication—often originating from hosting-related ASNs—threat actors initiated port scans, leveraged Impacket SMB tools for discovery, and deployed the Akira ransomware across diverse environments.

Targets ranged from small enterprises to large organizations in multiple sectors, indicating an opportunistic, wide-scale exploitation. New malicious infrastructure tied to this campaign continued to be observed as recently as September 20, 2025.

SonicWall attributes these unauthorized logins to exploitation of CVE-2024-40766, an improper access control flaw disclosed in September 2024.

In late July 2025, Arctic Wolf Labs detected a surge of suspicious login attempts against SonicWall SSL VPN services.

Credentials harvested from vulnerable devices appear to remain valid even on patched firewalls, enabling ...