Akira Ransomware Now Encrypts in Under an Hour: SonicWall VPNs Are the Front Door

Akira ransomware has crossed a threshold that should alarm every infrastructure team running perimeter VPN appliances: the group is now routinely completing full attack chains — initial access, lateral movement, exfiltration, and encryption — in under one hour. In some cases, dwell time is measured in minutes.

Research published this week by Arctic Wolf and corroborated by multiple incident response firms documents what they’re calling a “smash and grab” campaign. The speed isn’t accidental. Akira has operationalized its playbook to the point where human defenders and most automated detection systems simply cannot respond fast enough.

How the Attack Chain Works

The entry point is SonicWall SSL VPN appliances. Akira operators are authenticating with valid credentials — including successfully completing MFA challenges — which means traditional “block failed logins” detections are useless against this vector.

The credential source traces back to CVE-2024-40766, an improper access control vulnerability in SonicWall SMA and firewall products disclosed in August 2024. Here’s the critical detail: even organizations that patched CVE-2024-40766 are getting hit. The credentials were harvested from devices while they were still vulnerable, and those credentials remain valid post-patch unless explicitly rotated.

Once inside the VPN, the timeline compresses fast:

1. Minutes 0-5: VPN authentication with valid credentials + OTP MFA. Immediate port scanning of the internal network begins.
2. Minutes 5-15: Lateral movement via SMB using Impacket. Discovery of backup infrastructure, domain controllers, and file servers.
3. Minutes 15-30: Data exfiltration. Akira prioritizes Veeam backup servers, targeting known vulnerabilities (CVE-2023-27532 and CVE-2024-40711) in unpatched Veeam Backup & Replication instances to destroy or encrypt backup catalogs.
4. Minutes 30-60: Ransomware deployment and encryption. Akira uses legitimate remote access tools like AnyDesk or LogMeIn as persistence mechanisms, making the activity blend with normal admin traffic.

Total time from VPN login to fully encrypted environment: under 60 minutes.

Why This Matters Now

Previous Akira campaigns measured dwell time in days. This represents a fundamental shift in ransomware operations — the “low and slow” approach has been replaced with blitz-speed execution designed to outrun detection and response.

The campaign is opportunistic and broad. Victims span multiple sectors with no apparent targeting preference beyond having internet-facing SonicWall VPN endpoints. Arctic Wolf has tracked this campaign as active since late July 2025, with activity accelerating through Q1 2026.

Akira also distinguishes itself operationally from other ransomware groups by investing heavily in reliable decryption. While most groups spend 90-95% of development effort on encryption, Akira has built robust decryptors that reliably recover large files like server images. This isn’t altruism — it’s business strategy. Victims who believe decryption will actually work are more likely to pay.

Who’s Affected

Any organization running SonicWall SSL VPN appliances — particularly SMA 100 series and Gen 5/6/7 firewalls — is in the blast radius. The risk is highest for organizations that:

• Patched CVE-2024-40766 but did not rotate all VPN credentials afterward
• Run Veeam Backup & Replication without current patches
• Lack network segmentation between VPN landing zones and backup infrastructure
• Rely on MFA alone as a compensating control (Akira is passing MFA challenges with harvested session data)

What to Do Right Now

Immediate actions:

• Rotate every VPN credential tied to SonicWall appliances, even if CVE-2024-40766 was patched months ago. This is the single most impactful mitigation.
• Audit VPN logs for anomalous successful authentications — look for logins from unexpected geolocations or at unusual hours that passed MFA.
• Patch Veeam Backup & Replication to address CVE-2023-27532 and CVE-2024-40711. If your backups are reachable from VPN-adjacent network segments, assume they are a target.
• Block Impacket-style SMB traffic patterns at the network layer. Akira’s lateral movement is noisy if you’re looking for it.
• Segment backup infrastructure from general corporate network access. Backup servers should not be accessible from VPN landing zones.

Detection priorities:

• Alert on any VPN authentication followed by immediate port scanning or SMB enumeration within the same session.
• Monitor for AnyDesk or LogMeIn installations on servers where they haven’t been previously authorized.
• Watch for Veeam management API calls from non-standard source IPs.

Advisories and References

• CISA #StopRansomware: Akira Ransomware Advisory (AA24-109A)
• Arctic Wolf: Smash and Grab Akira Campaign
• SonicWall Advisory for CVE-2024-40766
• Veeam Security Bulletin for CVE-2024-40711

The window for response against Akira is now measured in minutes, not days. If your IR playbook assumes hours of dwell time before encryption begins, it needs to be rewritten.