Researchers at Arctic Wolf are sounding the alarm about a ransomware campaign that has been ongoing since July 2025 and is still claiming victims. What started as a series of breaches via SonicWall firewalls has now grown into one of the fastest and most dangerous attacks currently in circulation. New research shows that even devices with the latest firmware remain vulnerable.
The criminals behind Akira ransomware work with unprecedented speed. Whereas ransomware attacks normally require days or weeks of preparation, the attackers in this campaign often deploy their ransomware within an hour. This makes this threat particularly dangerous for organizations that do not monitor closely.
The attacks begin with login attempts via SonicWall SSL VPNs. Shortly after successful access, scans of the internal network and attempts to penetrate further via Windows environments follow. It often takes less than five minutes before the first internal movements are visible. File encryption follows at record speed.
According to SonicWall, the attackers are exploiting a vulnerability discovered in 2024, CVE-2024-40766. Although patches have been released for this, previously stolen passwords remain usable. It is striking that criminals even gain access to accounts that are secured with a one-time password as a second factor. Researchers suspect that this is made possible by reusing previously stolen OTP seeds to generate new codes.
MFA is not foolproof either
This suspicion is in line with earlier findings by Google Threat Intelligence Group. They described a similar campaign in which OTP seeds were misused to log in, even on fully updated devices. This suggests that the problem is bigger than one specific wave of attacks and confirms that MFA is not always watertight.
Once inside, the attackers waste no time. They often immediately target backup systems, including Veeam Backup & Replication. Using their own PowerShell script, they extract stored passwords from databases, giving them access to critical servers. Security software is no insurmountable obstacle either: using an attack technique that exploits legitimate drivers, they disable endpoint protection to allow the ransomware to run unhindered.
Even devices running SonicOS 7.3.0, the recommended version, have been affected. This makes it clear that updating alone is not enough. Arctic Wolf and SonicWall therefore strongly recommend resetting all SSL VPN login credentials that have ever been used on vulnerable devices.