When you think about protecting your business, the last thing you expect is for your own security tools to become the weak point that opens the door to ransomware. Yet that’s exactly what’s happening. The recent wave of attacks by the Akira group made this painfully clear: a poorly managed solution can be just as dangerous as having no protection at all.
And if you work in technology, security, or lead any business area, this should concern you. Because it doesn’t just expose technical flaws—it also reveals organizational weaknesses affecting both large enterprises and SMEs.
It’s not the technology that fails. It’s how you manage it.
SonicWall: From Defense Tool to Attack Vector
The trigger for this Akira campaign was CVE-2024-40766, a serious access control vulnerability in SonicWall’s SSL VPN system. It allowed attackers to connect as if they were legitimate users.
Although SonicWall released a patch in August 2024, many organizations failed to apply it in time. That created the perfect scenario: exposed systems, poor configurations, weak passwords, and lack of monitoring.
In short: the door was left open, and Akira walked right in.
Since mid-2025, unauthorized access via these VPNs has exploded. In some cases, only minutes passed between intrusion and ransomware deployment. The attack chain was that fast.
When MFA Can’t Save You Either
If you think multi-factor authentication (MFA) keeps you safe, this case may change your mind.
Akira managed to compromise accounts protected with MFA. How? By stealing the seeds used to generate OTP codes.
That means attackers could generate valid codes and log in unnoticed.
This highlights an uncomfortable truth: MFA is not foolproof if your configurations, tokens, or devices are outdated, poorly managed, or unprotected. In cybersecurity, no mechanism works in isolation—it all depends on the ecosystem around it.
Learn more: What are Network Monitoring Tools?
The Silent Threat: Inheriting Infrastructure Without Knowing What’s Inside
One of the most overlooked but dangerous issues in these attacks lies in mergers and acquisitions. When a company acquires another or merges infrastructure, rarely does it fully audit the inherited systems.
And that’s a recipe for disaster.
Many recent incidents happened in environments where:
- SonicWall devices designed for small businesses were integrated into complex corporate networks
- Old configurations, privileged access, and legacy policies were never reviewed
- Orphaned accounts with excessive permissions were left untouched
- No inventory or active monitoring existed
Akira exploited this perfectly: an environment with no visibility, no updates, and no control.
When you plug in unvetted legacy infrastructure, you're connecting weaknesses straight to your core systems.
The Real Problem Isn’t the Device—It’s the Lack of Management
This campaign delivers a clear lesson: security doesn’t depend on your firewall’s brand—it depends on how you manage your environment.
If your organization doesn’t update, audit, monitor, or manage access properly, you’re vulnerable—no matter how premium your tools are.
At the bare minimum, your team should:
- Apply security patches promptly
- Review all device configurations—especially inherited ones
- Regularly audit privileged accounts and VPN access
- Rotate passwords during infrastructure integration
- Segment the network to limit lateral movement
- Decommission obsolete equipment before going live
If your company isn’t doing this, it’s silently accumulating risk.
Who Is Akira and Why Is It So Dangerous?
Akira emerged in March 2023 as a Ransomware-as-a-Service (RaaS) operation. Since then, it has rapidly grown and is now one of the most active and effective global threats.
Its operators, presumably Russian-speaking, show technical links to the now-defunct Conti group—though Akira is not considered a direct successor.
How Does Akira Work?
Their model is double extortion:
- Steal large volumes of sensitive data
- Encrypt the systems
- Threaten to publish the data if ransom isn't paid
Their dark web leak site features retro design, victim-specific pages, and negotiation panels—used to publicly pressure organizations by leaking data samples.
Who Has Been Targeted?
Over 350 organizations across sectors like:
- Healthcare
- Manufacturing
- Energy
- Education
- Finance
- Services
- Critical Infrastructure
In Mexico, confirmed victims include: Recycla, Adrenalina, Corp BJR, Peñoles, Alpura, and AARCO.
Simple Entry, Massive Impact
Though sophisticated, Akira often uses simple but devastating entry points:
- VPNs without MFA or with vulnerable MFA
- Compromised credentials
- Misconfigurations
- Backup infrastructure flaws
- Virtualization environment errors
Once inside, they use legitimate tools to move laterally, disable backups, and encrypt both Windows, Linux, and ESXi systems—making detection harder.
Similar titles: New Security Features in the AWS Cloud
What Should Companies Learn From This?
The key lesson is simple: Security tools don’t protect you if you don’t manage them well.
And if you integrate infrastructure without vetting it, you’re inviting ransomware in.
To avoid becoming the next headline:
- Apply patches the moment they’re released
- Enforce phishing-resistant MFA
- Keep offline, tested backups
- Monitor VPN connections actively
- Audit all privileged access
- Inventory every inherited device
No organization is off the radar.
Akira is showing that even “minor” oversights can lead to multi-million dollar incidents.
Conclusion: Security Is Not a Product—It’s a Practice
The SonicWall–Akira case reminds us of something critical: cybersecurity can’t be bought—it must be managed.
You can have the best tools on the market, but if you don’t govern them well, close access gaps, patch on time, and audit actively—you’ll stay exposed.
At TecnetOne, we always say:
Tools help—but only governance and good practices truly protect you.
