A notorious ransomware group has been observed leveraging long‑standing exploits and stolen credentials to slip past MFA protections and execute attacks in as little as one hour.
Tracking the well-known Akira ransomware group, security researchers from Halcyon witnessed hackers abusing CVE-2024-40766 to gain unauthorised access to SonicWall management interfaces and configuration backups on unpatched devices.
They then brute‑forced the MySonicWall Cloud Backup API to steal customer configuration files, which held encrypted credentials, which were cracked offline, providing hackers with valid usernames and passwords – some of which had never been reset even on patched hardware.
Recovery codes and plaintext credentials found in these environments allowed threat actors to bypass MFA entirely, letting them log in to portals as if they were legitimate users
Detailing the hackers’ methods, Halcyon warned that this foothold “rapidly cascades into full domain compromise and the exposure of virtually every sensitive data type in the target environment”, with typical attacks taking less than four hours from initial access to encryption.
This speed is down to Akira’s “intermittent encryption” method, where hackers divide large files into blocks, then encrypt only a portion of each block, leaving the rest unencrypted. In one instance, this tactic allowed the group to shrink the time from access to encryption to just one hour.
While this is not a new threat, with SonicWall connecting it to an earlier 2024 CVE and releasing mitigation guidance in relation to CVE-2024-40766 in August last year, Akira have used this first point of compromise to speed up its attacks, with Halcyon saying it has allowed the group to compromise hundreds of victims in the last twelve months.
In January, a study by ReliaQuest found that Akira was one of the most prolific ransomware groups of Q4’2025, claiming over 200 victims, with separate reports indicating that the group demands initial ransoms averaging $925,666.
Recommended reading
With the prospect of a potential million-dollar payout, Halcyon is urging firms to adopt a layered defence, aligned with mitigating most common ransomware methods.
Organisations should begin by hardening initial access vectors, focusing on exposure from trusted sources and third-party pathways, and look to limit lateral movement and credential abuse through continuous monitoring of remote services and valid accounts.
“Akira’s combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators,” concluded Halcyon’s researchers.
“Organisations that have not yet addressed exposed VPN appliances, legacy credential hygiene, and gaps in MFA enforcement remain at significant risk. Defenders should treat Akira not as an opportunistic threat, but as a capable, persistent adversary that will exploit every available weakness to reach its objective.”
Related
Click Here For The Original Source.
