In recent developments, there has been a marked increase in ransomware attacks targeting SonicWall firewall devices, with the Akira ransomware group at the forefront. These attacks have exploited a potential zero-day vulnerability in SonicWall SSL VPNs, raising serious security concerns. Despite organizations using Time-based One-Time Password (TOTP) multi-factor authentication, attackers have managed to bypass these defenses, compromising accounts even on fully updated devices. The attacks have been characterized by a rapid escalation from initial access to ransomware deployment, often occurring shortly after credential rotations.
The attack strategy involves using Virtual Private Server hosting infrastructure, which grants attackers anonymity and flexibility. This method has been traced back to October 2024, with a noticeable increase in activity since mid-July 2025. The attackers have shown a sophisticated understanding of network security, targeting multiple sectors with precision.
In response to the threat, organizations are urged to disable SonicWall SSL VPN functionality until a patch is available. Additional recommendations include enhancing logging and monitoring, deploying endpoint detection agents, and adhering to security best practices. Moreover, blocking VPN authentication attempts from specific Autonomous System Numbers (ASNs) linked to malicious activities is advised. The situation remains dynamic, with ongoing investigations into the evolving threat landscape.
