In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access. In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs.
While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability. In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances.
Arctic Wolf Labs is currently conducting research into this campaign and will share additional details as they become available.
Akira Ransomware
The most recent uptick in ransomware activity involving SonicWall SSL VPNs began as early as July 15, 2025, although similar malicious VPN logins have been observed to some extent since at least October 2024. Similar to the ransomware activity described in our earlier research, a short interval was observed between initial SSL VPN account access and ransomware encryption.
In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.
Arctic Wolf is a customer of its own products/services and will follow the same recommendations outlined for our customers in this Security Bulletin.
Recommendations
Disable SonicWall SSL VPN
Given the high likelihood of a zero-day vulnerability, organizations should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
Configure SonicWall Integration with Arctic Wolf MDR
To provide early visibility and alerting for the threats described in this bulletin, Arctic Wolf customers can enable SonicWall log monitoring through the Arctic Wolf® Managed Detection and Response service. To configure this integration, see the following documentation page.
Install Arctic Wolf Agent and Sysmon
Arctic Wolf Agent and Sysmon provide Arctic Wolf with visibility into events needed to identify tools, techniques, and tactics involved in this campaign.
For instructions on how to install Arctic Wolf Agent, see the below install guides:
If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
Implement Best Practices Recommended by SonicWall
SonicWall recommends the following security best practices for hardening firewall security posture:
- Enable Security Services: Ensure services such as Botnet Protection are active. These services help detect threat actors known to target SSLVPN endpoints.
- Enforce Multi-Factor Authentication (MFA): MFA should be enabled for all remote access to reduce the risk of credential abuse.
- Remove Unused Accounts: Delete any inactive or unused local firewall user accounts, particularly those with SSLVPN access.
- Practice Good Password Hygiene: Encourage periodic password updates across all user accounts.
Please note that while these steps are general best practices, they are not necessarily guaranteed to mitigate the threat described in this bulletin.
Block VPN Authentication from Hosting-Related ASNs
To reduce exposure to malicious VPN activity associated with this campaign, review the listed hosting-related ASNs and consider blocking their corresponding CIDR ranges for VPN authentication.
Note: The networks described below are not inherently malicious, but when used to authenticate against VPNs, matching network activity may be considered suspicious under some circumstances. Blocking all traffic from these ASNs without limiting to VPN authentication is likely to cause operational disruption. Additionally, please note that these ASNs may include IP addresses associated with privacy VPN providers.
Note: Some additional IOCs provided in our October 2024 research may still be valid, but have not yet been observed in the most recent cluster of malicious activity.
