Threat Research

Akira_Reloaded

Securonix
Akira_Reloaded

A surge in Akira ransomware campaigns since July 2025 leverages CVE-2024-40766 in SonicWall SSL VPNs to harvest credentials and achieve rapid intrusions, sometimes completing post-compromise actions in under 55 minutes. Attacks use tools like Impacket, WinRAR, AnyDesk/RustDesk, and DPAPI-decrypting PowerShell scripts to perform discovery, lateral movement, data staging/exfiltration, and double-extortion. #Akira #CVE-2024-40766

Keypoints

  • Akira ransomware campaigns have surged since July 2025, targeting multiple industries and geographies with fast, often sub-hour, intrusion timelines.
  • Initial access commonly exploits SonicWall SSL VPNs via CVE-2024-40766 to obtain credentials for malicious logins, including to MFA-protected accounts.
  • Rapid post-access activity includes internal scanning (SoftPerfect, Advanced IP Scanner), SMB discovery and lateral movement via Impacket, and Active Directory enumeration.
  • Data is staged and exfiltrated using WinRAR to chunk archives and transfer tools like Rclone or FileZilla; a PowerShell script was observed extracting credentials from Veeam backups using DPAPI/Base64.
  • Persistence and remote control are maintained via created local/domain accounts, RMM tools (AnyDesk, RustDesk), and Cloudflared; EDR and Defender are disabled using BYOVD and repackaged Microsoft binaries.
  • Ransomware binaries (akira.exe, locker.exe) encrypt drives and shares with a .akira extension and employ double-extortion via a high-volume leak site.
  • Akira operates as RaaS with a lucrative affiliate profit split (70–80%), enabling rapid scaling, geographic expansion, and diverse entry vectors (SonicWall, Cisco VPN, misconfigured RDP).

MITRE Techniques

  • [T1133] External Remote Services – Threat actors used malicious SSL VPN logins against SonicWall appliances to gain initial access via CVE-2024-40766 (“exploit CVE-2024-40766 … malicious SSL VPN logins”).
  • [T1110] Brute Force (Credential Access) – Stolen credentials and rapid successful authentications, including against MFA-enabled accounts, indicate credential-based access (“harvest credentials for malicious SSL VPN logins” and “successful authentication against MFA-enabled accounts”).
  • [T1046] Network Service Discovery – Internal scanning with SoftPerfect Network Scanner and Advanced IP Scanner targeted RPC, SMB, and SQL ports (“initiate internal network scanning using tools like SoftPerfect Network Scanner and Advanced IP Scanner, targeting ports such as 135 (RPC), 445 (SMB), and 1433 (SQL)”).
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement and discovery used Impacket and anomalous SMBv2 session setups for SMB-based discovery and movement (“Impacket library facilitates discovery and lateral movement through anomalous SMBv2 session setup requests”).
  • [T1087] Account Discovery – Active Directory enumeration via nltest, dsquery, and Get-ADUser PowerShell cmdlets mapped network assets and accounts (“Active Directory enumeration follows, employing tools such as nltest, dsquery, and PowerShell cmdlets like Get-ADUser”).
  • [T1005] Data from Local System – WinRAR was used to archive sensitive files (text, PDF, Office) into chunks prior to exfiltration (“WinRAR used to archive sensitive files, including text, PDF, and Office documents, into 3 GB chunks”).
  • [T1567] Exfiltration Over Web Service – Exfiltration to VPS infrastructure used tools like Rclone or FileZilla to transfer archived data (“transfer via tools like Rclone or FileZilla to VPS infrastructure”).
  • [T1136] Create Account – Persistence included creation of local and domain accounts masquerading as legitimate services (“Persistence is maintained through local and domain account creation, often masquerading as legitimate services”).
  • [T1059.001] PowerShell – A PowerShell script extracted and decrypted credentials from Veeam Backup & Replication databases using DPAPI/Base64 (“PowerShell script was observed extracting credentials from Veeam Backup & Replication databases … decrypts credentials using DPAPI and Base64-encoded formats”).
  • [T1204.002] Malicious File – Ransomware binaries (akira.exe, locker.exe) were deployed to encrypt drives and shares and append the .akira extension (“ransomware, deployed as akira.exe or locker.exe, encrypts drives and network shares … appending the .akira extension”).
  • [T1490] Inhibit System Recovery – Attackers disabled EDR and Windows Defender using BYOVD techniques and repackaged Microsoft binaries to interfere with recovery and detection (“disable endpoint detection and response (EDR) tools and Windows Defender using bring-your-own-vulnerable-driver (BYOVD) techniques, leveraging repackaged Microsoft binaries”).
  • [T1090.004] Multi-hop Proxy – Use of Cloudflared and VPS infrastructure for C2 and exfiltration suggests tunneling/proxying to obscure operations (“Cloudflared for command-and-control (C2)” and “logins originating from virtual private server (VPS) hosting providers”).

Indicators of Compromise

  • [File Hash ] Recent Akira sample hashes – a610ef0e37af408aa49c7296d238796c57ac45aa8b0809ce72bc4d75b23fdf4f, e9e0c53a59e00827c6e904d8d32ffc23bb9e2f45fa41d6acdc00533bfe151c62, and 18 more hashes.
  • [File Name ] Ransomware payloads – akira.exe, locker.exe used to encrypt systems and append .akira extension.
  • [Vulnerability ] Targeted appliance/software – CVE-2024-40766 exploited in SonicWall NSA/TZ series running SonicOS 6/7 for initial access.
  • [Tools ] Legitimate and malicious tooling observed – Impacket (SMB discovery/movement), WinRAR (archiving for exfiltration), Rclone/FileZilla (data transfer), AnyDesk/RustDesk/Cloudflared (persistence/C2).
  • [Network Artifact ] Malicious login sources – logins originating from VPS hosting providers used to perform malicious SSL VPN access (example context: VPS-based brute-force or credential use).

Read more: https://blog.polyswarm.io/akira-reloaded