Cybersecurity firms report a late-July surge of Akira ransomware intrusions against SonicWall firewall devices, with evidence pointing to attackers entering via SonicWall SSL VPN connections and rapidly moving to encrypt data shortly after gaining access.
While a previously unknown vulnerability is considered highly plausible, researchers have not ruled out credential-based entry methods such as brute force, dictionary attacks, or credential stuffing. Given the uncertainty, defenders are advised to temporarily disable SonicWall SSL VPN, enhance logging and endpoint monitoring, and block VPN authentications from hosting providers until patches or clearer guidance are available.
Arctic Wolf detected these SonicWall-linked VPN intrusions beginning July 15, noting that malicious logins have a history dating back to at least October 2024, and that attackers often authenticate from virtual private server infrastructure rather than consumer ISPs. Huntress corroborated Arctic Wolf’s findings and shared indicators of compromise, while additional community discussion appeared on Reddit. The campaign highlights a rapid transition from initial VPN access to encryption, consistent with recent Akira activity patterns.