Akira ransomware Leaksite
Arctic Wolf has observed a major uptick in Akira ransomware activity since late July 2025, with attackers aggressively targeting SonicWall SSL VPN accounts. The campaign remains ongoing, with fresh infrastructure tied to it observed as recently as September 20, 2025.
Akira affiliates are exploiting stolen credentials, even in environments where multi-factor authentication (MFA) is enabled. According to the report, “Threat actors are accessing SSL VPN accounts through credentials likely to have been previously exfiltrated with CVE-2024-40766, including accounts with OTP MFA enabled.”
The campaign reflects Akira’s long-standing focus on VPNs. Past operations have abused like CVE-2023-20269 in Cisco ASA and CVE-2020-3259 in Cisco AnyConnect.
Perhaps the most alarming element is the extremely short dwell time. Arctic Wolf warns: “In dozens of recent intrusions, attackers moved from credential access to lateral movement, exfiltration, and encryption in under four hours—with some as fast as 55 minutes.”
This accelerated timeline leaves defenders very little room to detect and respond before ransomware detonation.
To stay ahead of detection, the group continuously shifts its infrastructure. “Threat actors are rotating VPS-based client infrastructure, attempting to evade detection.”
Indicators of compromise include logins originating from VPS hosting providers rather than traditional broadband or enterprise networks—an anomaly that defenders can monitor.
Victimology spans industries and company sizes, suggesting mass exploitation. As the report notes, “Victims span multiple industries and organisation sizes, indicating opportunistic mass exploitation rather than targeted intrusions.”
SonicWall confirmed links to CVE-2024-40766 exploitation, advising that even patched devices may be at risk if credentials were stolen before updates. They recommend:
- Reset all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets.
- Update to SonicOS 7.3.0, which introduces brute-force and MFA hardening.
- Remove unused accounts and enforce MFA across all remote access.
- Enable Botnet Protection and other services.
