Bulletins //

Important Security Advisory: Akira Ransomware

3 Min Read

The NormCyber SOC Analysts are alerting customers to a new wave of ransomware attacks linked to suspected exploitation of SonicWall SSL VPN appliances (Gen 7)

Organisations are advised to treat this as an active threat and maintain heightened vigilance until further notice. 

Summary of the Threat 

  • Affected Devices: SonicWall Gen 7 SSL VPNs 
  • Threat Actor: Akira ransomware group 
  • CVSS Severity: 9.8 – Critical 

Current intelligence suggests Akira operators may be exploiting a zero-day vulnerability to gain initial access, potentially bypassing standard controls, including multi-factor authentication (MFA). Notably, even fully patched devices have been compromised. 

This represents a targeted, fast-moving campaign focused on remote access technologies. In many cases, ransomware is being deployed within hours of access being gained. 

What’s Happening

  • Akira ransomware is targeting SonicWall SSL VPNs as a primary entry point into corporate networks. 
  • Initial access is achieved through VPN authenticationc, either via stolen credentials or a suspected zero-day. 
  • Attackers are escalating quickly from access to ransomware deployment, often within a short timeframe. 
  • Activity has been observed across multiple sectors, with a strong geographic focus on European organisations, including the UK. 

    Immediate Recommendations 

    If your organisation uses SonicWall appliances (Gen 7 or otherwise), Norm recommends the following steps: 

    1. Disable SSL VPN access if not business-critical. 
    2. Restrict VPN access to trusted IP addresses only. 
    3. Block authentication attempts from the following hosting-related ASNs: 
      – AS23470: ReliableSite.Net LLC 
      – AS215540: Global Connectivity Solutions LLP 
      – AS64236: UnReal Servers, LLC 
      – AS14315: 1GSERVERS, LLC 
      – AS62240: Clouvider Limited 

    This campaign highlights the growing risk posed by internet-facing infrastructure particularly VPNs, firewalls, and edge devices, which are often outside the scope of endpoint detection and response (EDR) coverage. 

    If you’re unsure whether SonicWall appliances are in use within your organisation, or need help reviewing current configurations, please get in touch with us. 

    What NormCyber Is Doing

    • Our Threat Intelligence Team is actively tracking the situation and sharing findings in real-time with our SOC. 
    • Detection rules have been updated, and our SOC is monitoring for known Akira tactics, techniques, and procedures (TTPs)
    • Customers with known SonicWall deployments have already been contacted with specific guidance and support
    • We will continue to share updates as more intelligence becomes available. 

    If you have any concerns or require a technical review, please email us directly at info@normcyber.com 


    Get Norm’s threat bulletin direct to your inbox

    Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

    You can receive this bulletin for free, every fortnight, by entering your business email address below:

    Insights //

    More of the latest insights & articles.

    Important Security Advisory: Akira Ransomware

    NormCyber shortlisted for prestigious National Cyber Award

    NormCyber shortlisted for prestigious National Cyber Award

    News

    NormCyber Threat Bulletin: 23rd July 2025

    Your Essential Guide to Cyber Incident Response Containment

    Your Essential Guide to Cyber Incident Response Containment

    Blog
    Password image for the blog One Password Away from Collapse

    One Password Away from Collapse: The Ransomware Threat and the Urgency of Cyber Resilience

    Blog
    NormCyber shortlisted for PICCASO Awards’ 2025 Cyber Security Team of the Year

    NormCyber shortlisted for PICCASO Awards’ 2025 Cyber Security Team of the Year

    News
    See All Insights