A sophisticated ransomware campaign has been compromising SonicWall SSL VPN appliances since July 2025, delivering Akira ransomware and completing a full network compromise within hours of initial access.
By abusing legitimate credentials and evading multi-factor authentication, attackers establish footholds, conduct reconnaissance with Impacket, and deploy ransomware in rapid succession.
Early detection of anomalous VPN sessions and unusual SMB traffic is vital to interrupt this high-speed threat.
Malicious SSL VPN Access Facilitates Initial Compromise
Starting July 21, 2025, Arctic Wolf Labs observed an increase in successful SSL VPN logins on SonicWall NSA and TZ series devices running SonicOS 6.x and 7.x, including firmware versions 7.3.0–7012 and 8.0.2 a range that encompasses both patched and unpatched systems.
Attackers authenticated from hosting provider ASNs, an uncommon source for legitimate user traffic, and passed OTP-based MFA challenges, suggesting compromised secrets or interception of one-time passwords.
Login events (ID 1080) were immediately followed by internal port scans on RPC (135), NetBIOS (137), and SMB (445), indicating that threat actors weaponize valid VPN sessions to launch internal reconnaissance.
Impacket-Driven Reconnaissance and Lateral Movement
Following VPN authentication, adversaries deploy automated discovery tooling, primarily Python Impacket, to enumerate Active Directory environments. SMB “session setup” requests bearing hostnames such as WINUTIL and DESKTOP-HPLM2TD align with Impacket session signatures.
Concurrently, PowerShell cmdlets (Get-ADUser, Get-ADComputer) and open-source utilities like SharpShares and ldapdomaindump are leveraged to harvest user, group, and share information.
This combination of Impacket and PowerShell enables speedy credential validation, privilege escalation, and mapping of critical infrastructure, all executed from atypical paths under ProgramData.
Rapid Akira Ransomware Deployment and Data Exfiltration
Within an average dwell time of four hours and in some cases under one hour attackers distribute Akira ransomware executables (akira.exe, locker.exe, w.exe) across network shares using command parameters such as -n1 -pD and -sshare.txt.
The ransomware appends a .akira extension to encrypted files and displays a custom ransom note demanding payment in cryptocurrency.
Simultaneous data exfiltration is conducted via WinRAR archival and tools like Rclone or FileZilla, enabling a double-extortion strategy that amplifies victim pressure. This swift kill chain underscores the critical need for pre-encryption detection and network containment.
Organizations can disrupt this campaign by rotating all SSL VPN credentials, especially on devices that once ran firmware before 7.3.0, thereby invalidating harvested secrets. Monitoring for VPN logins from hosting-related ASNs and anomalous OTP successes can flag unauthorized access.
Network intrusion detection should alert on Impacket-style SMB session setups and internal scanning on high-risk ports. Segmentation of VPN users from core servers and restricting lateral SMB traffic will constrain attacker mobility.
Finally, migrating MFA enforcement to centralized identity providers via SAML or LDAP, separate from firewall appliances, reduces the risk of credential replay.
Continuous vigilance against unusual authentication patterns and rapid internal reconnaissance remains essential to defend against this aggressive Akira ransomware threat.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
