Cybersecurity experts are raising alarms as the Akira ransomware group continues to pose a significant threat on the ransomware landscape since its emergence in March 2023. Akira has hit SonicWall SSL VPNs for initial access. As of today, this very attack has left a shocking 967 victims in its wake. This trend has prompted heightened awareness and concern among organizations worldwide, particularly in Australia, where the Australian Cyber Security Centre (ACSC) has confirmed that Akira has targeted vulnerable entities through SonicWall devices.
To get a sense of how the Akira group works, take a look at how they used Bumblebee malware to deploy the AdaptixC2 post-exploitation framework. This tactic allows them to implement adversarial emulation more efficiently. In addition, the group has deployed RustDesk on infected devices to gain permanent remote access. This uniquely allows them to exfiltrate sensitive data from their targets and deploy ransomware in a more impactful way throughout their attacks.
Exploiting Vulnerabilities in SonicWall
SonicWall has recently raised alarms over critical misconfigurations in LDAP SSL VPN Default User Groups. They term these gaps the “critical Achilles heel” that malicious actors can target in carrying out an Akira ransomware attack. The vendor has advised impacted users to examine their configurations to reduce exposure and limit risks.
As a result, Akira has already managed to get around the development team’s intended AD group-based access controls. This tactic shortens attackers’ routes to prized netherworld perimeters. This vulnerability is a huge liability for organizations dependent on these systems for their security.
“This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory.” – SonicWall
In a report by Rapid7, they demonstrated the rise of SonicWall-based attacks, with Akira being embodied as one of the main players behind this increase. Their report highlights a major jump in SonicWall-based attacks over the last quarter. This recent increase is quite exceptional.
“This represents a large increase over the past quarter in terms of SonicWall-based attacks,” – Rapid7
Tactics and Techniques Employed by Akira
Akira uses a number of techniques to improve its overall attack approach. One particularly insidious technique used is SEO poisoning, allowing the installation of trojanized installers for commonly used IT management suite tools. These malicious installers enable the drop of the Bumblebee malware loader onto target systems.
By leveraging these tactics, Akira has been involved in at least 79 ransomware attacks impacting industrial entities worldwide during the second quarter of 2025 alone. The group’s flexibility in adapting and applying different security threats really shows their sophistication and willingness to go the distance.
“The Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” – Rapid7
Beyond these tactics, Akira’s methodology covers exfiltrating sensitive data before deploying ransomware. That one-two punch is often most effective when used together, maximizing the harm of their assaults and threats. It further raises the likelihood that victims will pay ransom demands.
Recommendations for Organizations
With these persistent challenges in mind, we recommend that organizations act ahead of future threats to safeguard their networks. SonicWall recommends enforcing Account Lockout policies to frustrate password-cracking attempts and enabling Botnet Filtering to block activity from known threat actors. Such measures are easy to implement and can go a long way to decrease the likelihood of unauthorized access while strengthening your overall cybersecurity posture.
“To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.” – SonicWall
Beginning in July 2023, SonicWall has addressed an increasing wave of customer incidents related to Akira attacks. The total of these incidents has now hit the double digits. This constant threat underscores the need for organizations to reevaluate their security policies and stay on high alert against new threats every day.