Akira Ransomware, a relatively new variant that first emerged in March 2023, has rapidly intensified its operations, with a recent focus on compromising SonicWall SSL VPN devices. As of early 2024, the group had extorted at least $42 million from more than 250 victims. In late July 2025, attacks began to increase at an alarming rate. This has led to grave concerns in the cybersecurity community about the existence of a zero-day vulnerability affecting devices with the latest patches deployed.
This new wave of Akira Ransomware attacks against SonicWall SSL VPNs started on July 15, 2025. As Arctic Wolf Labs researcher Julian Tuin explained, this increase in activity is part of a larger trend. This is indicative of a larger shift. Upon further review, the analysis showed a series of pre-ransomware intrusions happening over just a few days or weeks, sometimes including breached access through SonicWall devices.
Significant Financial Impact
As of January 2024, Akira Ransomware actors have targeted more than 250 victims. According to their own reported figures, they have since gained over $42 million in illegal proceeds from these attacks. The bottom line per the fiscal impact of these cyberattacks has made organizations take a step back and reanalyze their security.
According to Check Point, Akira was the second most active ransomware group in Q2 of 2025. They put their sights on 143 victims in that timeframe. Only Qilin was more active than them during this time period. The data shows a more targeted approach. According to Check Point, Akira ransomware aims right at Italy, with 10% of its victims being Italian companies, compared to only 3% of attacks in the ecosystem at large.
Exploitation of Vulnerabilities
At this time, security experts are hoping to determine the specifics of this potential security flaw. They think the Akira Ransomware is taking advantage of a zero-day vulnerability through SonicWall’s SSL VPN devices. This concern is exacerbated by reports that some of these incidents have targeted SonicWall appliances with the latest patches fully installed.
During his remarks Julian Tuin laid out the importance and gravity of our current moment. He noted that there were several pre-ransomware intrusions in short order, each in (or similar to) the pattern of VPN access via SonicWall SSL VPNs. This one line reveals the huge liability threat that is looming over organizations that aren’t doing something proactive and going beyond the bare minimum.
Cybersecurity experts strongly recommend organizations disable the SonicWall SSL VPN service for any device under their control until a patch is developed and deployed. This simple precaution would go a long way in reducing the risk of continuing Akira Ransomware attacks.
Ongoing Investigations
As the investigation into Akira Ransomware drags on, many questions about the group’s operations and targets are still left unanswered. Questions sent to SonicWall to learn more about their handling of these attacks have gone unanswered.
Since at least October of 2024 attackers have had a steady course of targeting SonicWall devices. This disturbing trend is indicative of the Akira group’s long-term strategy to undermine these systems. As the cybersecurity threat landscape continues to change, organizations need to be aware and proactive against emerging threats such as Akira Ransomware.