SonicWall SSL VPN devices have become targets of Akira ransomware attacks, with a significant increase in activity noted since July 2025. Pre-ransomware intrusions involved VPN access through these devices. There are indications that a zero-day vulnerability may be exploited, considering some incidents impacted fully-patched appliances. The first surge in attacks was documented on July 15, 2025, with prior malicious logins observed from October 2024. Organizations are advised to disable SSL VPN services and employ multi-factor authentication, while Akira actors have extorted approximately $42 million since their emergence in March 2024.
The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although attacks dating back to October 2024 suggest sustained efforts to target the devices.
A short interval was observed between initial SSL VPN account access and ransomware encryption, contrasting with legitimate logins which typically originate from broadband internet service providers.
Collection
[
|
...
]