In one attack, the hackers leveraged the Datto RMM utility on a domain controller and various other legitimate tools to evade detection.
September 29, 2025 By Ionut Arghire
The Akira ransomware group continues to exploit a year-old SonicWall vulnerability for initial access and relies on pre-installed and legitimate tools to evade detection, security researchers warn.
Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766 (CVSS score of 9.3), an improper access control issue in SonicWall firewalls that was patched in August 2024.
Akira’s campaign, Arctic Wolf warns in a fresh report, remains active, as the ransomware operators are successfully targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option.
Arctic Wolf says it observed dozens of incidents that can be tied together by VPN client logins originating from VPS hosting providers, network scanning, Impacket SMB activity for endpoint discovery, and Active Directory discovery.
