White Paper

Prevention & Detection: AKIRA SonicWall Ransomware Campaign

Starting in summer of 2025, the ransomware group AKIRA launched a fast-moving campaign against SonicWall firewalls that caught many organizations off guard. No zero-day was required. AKIRA combined a known vulnerability with default credentials and a design flaw in LDAP group provisioning to gain VPN access, connect directly to victim networks, and deploy encryption, under a day. 

BlueVoyant’s DFIR team built this white paper from firsthand incident response work and open-source intelligence. It breaks down exactly how the campaign worked, why patching alone wasn’t enough, and what separated organizations that recovered quickly from those that didn’t. 

Download now to learn: 

  • How AKIRA chained a known CVE with default LDAP misconfigurations to gain persistent VPN access, and why patching alone didn’t stop them 
  • The three controls that determined whether organizations recovered from backups or considered a ransom payment 
  • Technical details on AKIRA’s attack chain and specific indications to check in your own environment

Related Reading