SonicWall VPNs are being targeted by a new zero-day in ransomware attacks

News
By published

There's been an uptick in malicious VPN logins lately

Laptop with warning symbols over the keyboard
(Image credit: Shutterstock)
  • From mid-July 2025, there's been an uptick in malicious logins
  • Researchers speculate criminals found a zero-day
  • Users are advised to strengthen their cybersecurity posture

There is a chance SonicWall SSL VPN devices are carrying a zero-day vulnerability that Akira’s cybercriminals discovered, and are now using in the wild.

As of mid-July this year, cybersecurity researchers Arctic Wolf Labs observed an uptick in malicious logins, all coming through SonicWall SSL VPN instances. Since some of the endpoints were fully patched at the time of the intrusion, the researchers speculate that they might contain a zero-day flaw.

However, they haven’t ruled out the possibility that the attackers just obtained a set of active login credentials from somewhere and used them to gain access.

On the FBI's radar

In any case, organizations that suffered these malicious logins also got infected with the Akira ransomware soon after.

"A short interval was observed between initial SSL VPN account access and ransomware encryption," the researchers explained. "In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments."

Until SonicWall comes forward with a patch, or at least an explanation, businesses using these VPNs are advised to enforce multi-factor authentication (MFA), delete inactive and unused firewall accounts, and make sure their passwords are fresh, strong, and unique.

Akira is a ransomware strain that first appeared in March 2023, targeting businesses across various sectors. It is known for gaining the initial foothold through compromised VPN credentials and exposed services.

The group targets both Windows and Linux systems, and is known for dismantling backups to hinder recovery. As of mid-2025, Akira has been responsible for attacks on hundreds of organizations globally, including Stanford University, Nissan Australia, and Tietoevry. The group usually directs its victims to contact them via a Tor-based website.

The FBI and CISA have issued warnings about its activity, urging organizations to implement stronger network defenses and multifactor authentication.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.