Home › Insights / news › Akira ransomware & SonicWall VPN lesson

Ransomware

Ransomware can encrypt your whole network in under an hour — starting at your firewall VPN

Insights · Key IT · By Elias Koziris, Owner & Technician · Published 22 April 2026 · Updated 12 June 2026

The Akira campaign against SonicWall VPNs locked networks in about an hour. What Melbourne businesses should fix on their firewall, MFA and monitoring now.

Through 2025 and 2026 security firms tracked a ransomware campaign that broke in through firewall VPNs and locked entire networks in about an hour — here is what to fix before it is your turn.

The gap between a single bad VPN login and your files being locked is now measured in minutes — not days. For years, the comfort blanket for small businesses was time: even if someone got in, you would surely notice the snooping, the odd login, the files being copied, long before anything went badly wrong. That assumption is no longer safe. Attackers are walking in through the one device that is meant to keep them out — the firewall — and finishing the job before most teams have finished their morning coffee.

What actually happened with Akira and SonicWall VPNs

Through 2025 and into 2026, security firms including Arctic Wolf, Rapid7 and Darktrace tracked an aggressive campaign by the Akira ransomware group. The way in was the SSL VPN on SonicWall firewalls — the encrypted tunnel staff use to work remotely. Researchers linked the intrusions to CVE-2024-40766 (a vulnerability first disclosed in 2024) together with weak configurations and credentials that had never been rotated. Once inside, the attackers moved fast: in some cases ransomware was deployed in roughly an hour from first access.

The point of this post is not "SonicWall is bad." Every major firewall vendor has shipped a serious flaw, and the next campaign will target a different brand. The lesson is about the category of device — the internet-facing edge — and the fact that it is now the front door criminals try first. Treat any specific CVE figure here as accurate at the time of writing and check the relevant vendor advisory for the current status; the advice below holds regardless of which logo is on your firewall.

Your firewall is on the internet, so it gets attacked first

A firewall VPN is, by design, reachable from anywhere in the world. That is what makes it useful for remote staff — and what makes it the single most valuable target on your network. If it is running old firmware, exposes its admin or VPN portal to the whole internet, or still has accounts using passwords from three years ago, you have left the front door unlocked and lit.

Patch the edge first, not last.

Firewalls, VPN gateways and other internet-facing kit deserve the fastest patch cycle you have, because a flaw in them is a flaw the whole internet can reach.

Rotate credentials after any patch.

Several intrusions in this campaign succeeded because old usernames and passwords were still valid even after the device was updated. Patching closes the hole; rotating credentials evicts anyone who already had a key.

Shrink the attack surface.

Restrict VPN and admin access to known users and locations where you can, and turn off services you do not use.

One-time codes are MFA — but they are not enough on their own

Here is the detail that unsettles most business owners: researchers observed intrusions that got past a valid one-time-code MFA challenge. Multi-factor authentication still matters enormously and you should absolutely have it on — but the older style, where you type a six-digit code from an app or SMS, can be defeated. Attackers phish the code in real time, or wear users down with repeated prompts until someone taps "approve" to make it stop.

The fix is not to abandon MFA — it is to move toward phishing-resistant methods (passkeys and hardware security keys), tighten conditional-access rules, and treat identity as something you actively monitor, not a box you ticked at setup. Strong identity controls sit at the heart of the Essential Eight, the framework we use to baseline every client.

If dwell time is an hour, someone has to be watching at 2am

"Dwell time" is how long an intruder sits in your network before doing damage. When that window was weeks, a business-hours IT check was enough. When it is an hour — and the attack lands at 2am on a Sunday because that is when no one is looking — there is no human safety net unless someone, or something, is watching around the clock.

This is the gap an in-house Security Operations Centre fills. Our SOC watches client environments 24/7, and pairs that with endpoint detection and response (EDR) on every device so that the moment ransomware behaviour appears — mass file encryption, processes killing your backups — it can be isolated automatically before it spreads. A machine reacts in seconds; a Monday-morning email does not. You can see how this works on our 24/7 SOC page.

Assume something will get through — and make sure it cannot finish the job

Good security is layered precisely because no single layer is perfect. Even with a patched firewall and strong identity, you plan for the day something slips past.

Segment your network.

If the VPN connects to a flat network where every server and PC can reach every other one, one compromised login becomes everything. Segmentation contains the blast radius.

Keep backups offline and tested.

Akira and groups like it go after backups first. Immutable, off-network copies — that you have actually restored from in a drill — are what turn a catastrophe into a bad afternoon. That is the job of disaster recovery and business continuity.

Have an incident response plan you have rehearsed.

When the clock is measured in minutes, "who do we call and what do we do first" cannot be invented on the day. Our incident response team is built for exactly that moment.

What a Melbourne business owner should do this week

Find out what is on your edge.

What firewall and VPN do you run, what firmware version, and when was it last patched? If no one can answer in five minutes, that is the first thing to fix.

Rotate VPN and admin credentials.

Especially any that pre-date your last firmware update.

Check who is watching after hours.

If the honest answer is "nobody", you are relying on luck against attacks that arrive overnight on purpose.

Confirm your backups are offline and recently tested.

A backup you have never restored is a hope, not a plan.

FAQ

Frequently asked questions

Does this only affect SonicWall firewalls?

No. This particular campaign focused on SonicWall SSL VPNs, but the underlying lesson applies to every brand of internet-facing firewall and VPN. The risk comes from the type of device — anything reachable from the public internet — not from one vendor. Any major firewall is a target if it is unpatched, exposed or using old credentials.

I have MFA turned on. Am I safe from this?

MFA is essential and you should keep it on, but in this campaign researchers saw intrusions that defeated older one-time-code MFA through real-time phishing and prompt fatigue. The stronger position is phishing-resistant MFA such as passkeys or hardware keys, combined with conditional-access rules and identity monitoring, so a stolen code alone is not enough.

How can ransomware encrypt a whole network in under an hour?

Once an attacker is through the VPN, a flat internal network and unmonitored servers let them move sideways quickly, disable backups and trigger encryption everywhere at once. Speed comes from automation and a lack of internal barriers. Network segmentation, EDR and 24/7 monitoring are what slow it down and stop it.

Are small Melbourne businesses really a target for ransomware groups?

Yes. These campaigns scan the internet for vulnerable firewalls automatically — they do not check your size first. A smaller business with an unpatched VPN and no after-hours monitoring is often an easier win than a large enterprise, which is exactly why SMBs are hit so often.

Keep exploring

Related Key IT services

24/7 security operations centre→Incident response→Essential 8→Disaster recovery & business continuity→

Keep reading

More insights

Ransomware12 June 2026

Book your free IT & Cyber Security Review

See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.

Book a Free Review Call 1300 053 948