Stay updated with the latest Cybersecurity News on our TecnetBlog.

Akira Ransomware: How It Bypasses MFA on SonicWall VPNs

Written by Levi Yoris | Sep 29, 2025 5:25:10 PM

Since July 2025, the Akira ransomware has been putting organizations worldwide on edge by exploiting vulnerabilities in SonicWall SSL VPNs. The alarming part? Even with passwords and multi-factor authentication (MFA) enabled, attackers are successfully breaching corporate networks. This not only exposes critical data but also shows how cybercrime sophistication is outpacing traditional defenses.

At TecnetOne, we’ll explain what’s happening, how this threat works, and the practical steps you can take to reduce risk in your organization.

 

The Root Cause: CVE-2024-40766

 

Attackers appear to be leveraging CVE-2024-40766, a critical flaw discovered months earlier in SonicWall. Although the company issued patches to strengthen security against brute-force attacks and MFA issues, many credentials stolen during the initial exploitation remain valid even after firmware updates.

In practice, this means that even if you’ve applied updates, your devices may still be at risk if they were exposed at the time.

 

How Attackers Evade MFA

 

The most unsettling aspect is that attackers aren’t just using stolen credentials—they also seem to have compromised OTP seeds, enabling them to bypass MFA entirely.

In over 50% of analyzed intrusions, criminals authenticated into accounts with OTP enabled. This raises a troubling reality: measures once seen as the “last line of defense” are no longer enough.

 

Learn more: How to detect Medusa Ransomware with Wazuh?

 

Akira’s Attack Pattern

 

Once inside the VPN, attackers move with surgical speed. In under five minutes, they’re scanning the internal network for vulnerabilities and access to services like RPC, NetBIOS, SMB, and SQL.

Common steps include:

 

  1. Using tools like SoftPerfect or Advanced IP Scanner to map the network.

 

  1. Lateral movement with Impacket, RDP, and WMIExec techniques.

 

  1. Active Directory enumeration using BloodHound or ldapdomaindump.

 

  1. Creating local/domain accounts (examples: sqlbackup, veean) to maintain persistence.

 

  1. Installing RMMs such as AnyDesk, TeamViewer, or RustDesk.

 

  1. Leveraging Cloudflare Tunnel or reverse SSH to remain hidden.

 

Within hours—sometimes less than 60 minutes—attackers have already packaged sensitive data with WinRAR, exfiltrated it using tools like rclone or FileZilla, and deployed ransomware to multiple critical directories.

 

Advanced Evasion Techniques

 

Akira is not just another ransomware. Its techniques include:

 

  1. Deleting local backups (Volume Shadow Copies).

 

  1. Disabling antivirus and EDR using Bring Your Own Vulnerable Driver (BYOVD) tricks.

 

  1. Repackaging legitimate Microsoft tools like consent.exe to blend in.

 

  1. Modifying database configurations to steal Veeam and backup service credentials.

 

The result: in less than half a day, attackers can encrypt your entire network and steal sensitive information, leaving you with two crises—data loss and extortion.

 

Also of interest: Dark Web Profile of the SafePay Ransomware

 

How to Protect Yourself

 

At TecnetOne, we believe prevention remains your strongest ally. Key recommendations:

 

  1. Reset all credentials if you’ve ever used SonicWall versions vulnerable to CVE-2024-40766.

 

  1. Review and renew OTP seeds: if stolen, MFA no longer protects you.

 

  1. Segment your network to limit the impact of an initial breach.

 

  1. Monitor your VPN logs: simultaneous logins or VPS-based access are clear signs of compromise.

 

  1. Harden Active Directory security: review permissions and disable unused accounts.

 

  1. Deploy managed detection and response (MDR) solutions to spot suspicious movements in real time.

 

Why You Need Expert Support

 

The Akira case is a reminder that even with patches and MFA enabled, attackers can still find ways in. The difference between a scare and a catastrophe lies in your ability to detect and respond quickly.

At TecnetOne, we work with our partners to deliver advanced cybersecurity solutions—including 24/7 monitoring, vulnerability management, Red Team simulations, and critical infrastructure protection.

Don’t wait to become the next victim. Attackers already know where to look, and if your VPN is a weak point, they will try sooner or later.

 
View full post