Editor's note: This report was authored by Thomas Higdon

Key Points:

  • “Akira” ransomware campaigns have exploited SonicWall SSL VPNs, infiltrating newly acquired small- to medium-sized business environments during mergers and acquisitions (M&A). 

  • Once inside, attackers exploit inherited weaknesses—like unchecked privileged accounts, predictable hostnames, and inconsistent endpoint protection—to exfiltrate data and deploy ransomware in as little as five hours

  • Blind spots from inherited security debt, legacy vulnerabilities, and inconsistent integration practices during M&A allow attackers to bypass defenses and spread compromise from acquired businesses to larger organizations. 

  • To counter these threats, security teams must prioritize early asset discovery, credential audits, and unified monitoring across both legacy and new environments.

The “Akira” ransomware group has been weaponizing vulnerabilities in SonicWall SSL VPN devices, revealing an overlooked threat for larger enterprises navigating mergers and acquisitions (M&A). These devices, widely used by small- and medium-sized businesses due to their affordability and ease of use, have become launchpads for Akira’s fast-spreading attacks.  

ReliaQuest analyzed a series of Akira attacks between June and October 2025 that targeted SonicWall SSL VPN devices to uncover a troubling trend. In every incident, Akira operators gained a foothold in larger, acquiring enterprises by compromising SonicWall devices inherited from smaller, acquired business during M&A. In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed. 

This isn’t just the usual story of hidden technologies slipping through the cracks during M&A. These attacks were part of a deliberate and targeted campaign against SonicWall devices, which are rare in larger organizations but common in smaller ones. Standard M&A due diligence is not enough. Security teams must proactively secure inherited technologies, prioritizing early visibility into new environments, like remote access tools, to address risky configurations and outdated credentials before attackers exploit them. 

In this report, we’ll walk you through how Akira operators turned inherited gaps into enterprise-wide risks and what steps your team can take to secure those weaknesses. Here’s what we’ll cover: 

  • How Akira ransomware operators exploited M&A blind spots by abusing inherited SonicWall SSL VPN devices to infiltrate and move rapidly through newly acquired networks. 

  • Why SonicWall’s popularity among smaller businesses, and its common misconfigurations, makes it a repeatable entry point for Akira’s campaigns. 

  • Real-world case studies highlighting inherited risks like legacy credentials, predictable hostnames, and inconsistent endpoint protection. 

  • Actionable steps to find and close these blind spots, and how ReliaQuest can help you get ahead.

Inherited Security Gaps Gave Akira the Upper Hand

We can’t be sure whether Akira was deliberately targeting the M&A process; all we know is that the group abused SonicWall SSL VPN devices that are commonly used by the types of businesses likely to undergo an acquisition. However, aside from this commonality in the incidents, we identified three M&A-related enablers of compromise that helped the attacks progress: stale privileged credentials, predictable hostnames, and inconsistent endpoint protection. These factors created a perfect storm for Akira’s success, turning inherited environments into risks for their new owners.

Stale Credentials Handed Attackers the Keys 

In every incident analyzed between June and October 2025, Akira’s initial compromise traced back to a SonicWall SSL VPN device inherited from an acquired small- or medium-sized business. Once inside, the attackers immediately looked for privileged accounts—such as those originating from old managed service provider (MSP) or administrator logins—that had been transferred over during the M&A process. Crucially, these credentials were often unknown to the acquiring company, and left unmonitored and unrotated post-acquisition.  

In the incidents we analyzed, by exploiting a legacy admin credential, Akira operators gained access to sensitive systems and navigated to a domain controller (DC) in an average of just 9.3 hours. In some incidents, this time was even faster—within five hours. This rapid escalation was possible because inherited accounts remained unchecked, giving attackers the persistence they needed to move deeper into the network before defenders could respond. In the M&A context, this common blind spot—specific to inherited environments—gives attackers a fast track for compromise. 

Predictable Names Made Hiding Easier 

Akira operators didn’t have to work hard to identify high-value targets in the inherited networks. In several of our investigations, they scanned the networks for hosts with default or predictable names. These naming conventions, carried over from the acquired company, had not been standardized during M&A integration, making it easy for attackers to quickly identify and prioritize high-value targets like DCs and application servers.  

In one case, Akira identified a file host with a default-style name, and within just a few minutes of gaining initial access, began attempting file transfer protocol (FTP) connections and account enumerations. A short time later, the attackers successfully exfiltrated data. Across all incidents, lateral movement to ransomware deployment occurred with alarming speed—taking an average of just one hour. The attackers took advantage of incomplete asset inventories and a lack of renaming protocols—common oversights during rushed M&A integrations. 

Missing EDR Allowed Ransomware To Spread 

SonicWall compromise was just Akira’s opening move. In every analyzed incident, after gaining initial access, Akira operators scanned the inherited networks for critical hosts that lacked EDR coverage. In cases where no unprotected hosts were found, they attempted to disable EDR on targeted systems using Dynamic Link Library (DLL) sideloading techniques. These gaps in EDR coverage were the result of inconsistent security practices during the M&A process, where endpoint protection was often incomplete or tamper protection wasn’t enabled.  

In each case, the lack of standardized EDR deployment and monitoring left defenders with little time to detect or respond, giving attackers the upper hand to encrypt systems and disrupt operations before security teams could intervene.

Why Was SonicWall a Target?  

While we can’t know Akira’s exact motivations, our investigation points to three reasons why SonicWall SSL VPN devices may have been a target:  

  • Widespread Deployment: SonicWall devices are widely deployed by small- and medium-sized businesses, making them a common presence in many environments and a reliable entry point for attackers.  

  • Affordability Leading to Rushed Security Practices: SonicWall’s affordability and ease of deployment often result in rushed or inconsistent security practices, especially when it comes to credential management and patching.  

  • Exposed and Misconfigured Remote Access Features: SonicWall’s remote access capabilities, like SSL VPN, are frequently exposed to the internet and can be left misconfigured or unmonitored. This creates opportunities for attackers to exploit known vulnerabilities or default settings. 

A Practical Solution for Lean IT Teams 

SonicWall’s widespread adoption among smaller businesses is driven by its affordability and practical features. These devices allow organizations to achieve effective security without the complexity or high costs of traditional enterprise-grade solutions. Here’s why these organizations consistently favor SonicWall: 

  • Affordable Security Solutions: SonicWall offers robust protection that matches smaller businesses’ budgets and scales with company growth, making it an accessible choice for companies seeking cost-effective technologies. 

  • User-Friendly Remote Access: SonicWall’s SSL VPN and related remote access features are easy to deploy and heavily utilized by MSPs to enable remote work. 

  • Integrated Functionality for Limited IT Resources: Features like wireless security and load balancing make SonicWall an all-in-one solution, ideal for organizations with smaller IT teams. 

SonicWall’s Weaknesses Are a Launchpad for Ransomware 

While SonicWall devices are popular for their accessibility and robust features, our investigation found that attackers like Akira are quick to exploit recurring weaknesses that often accompany rapid deployment and limited oversight, including: 

  • Default or Unchanged Configurations: SonicWall devices are frequently deployed with default passwords, legacy privileged accounts, or outdated settings. If these are overlooked during integration, they become an easy way in for attackers.  

  • Unpatched Vulnerabilities: Many organizations add SonicWall appliances to their network without regular patching or security reviews, leaving known vulnerabilities exposed for exploitation. 

  • Untracked or Unmanaged Devices: In the rush of M&A activity, devices can sometimes be left out of inventories or monitoring processes. This allows attackers to use these devices as hidden entry points to move from acquired businesses into the larger organizations undetected.  

When these gaps go unaddressed, they don’t just expose the smaller business—they create an on-ramp for threats to spread into the larger organization. For companies growing through M&A, this means inheriting not just a new business but also hidden security burdens.

Turning M&A Blind Spots into Defensible Ground 

SonicWall vulnerabilities might grab the headlines, but they’re only part of the story. The truth is, the M&A process itself creates opportunities for attackers like Akira, and not always for the reasons you’d expect. Let’s break down three major ways M&A can leave organizations exposed to compromise:

Security Debt That Lingers  

Mergers are messy, and in the shuffle, it’s easy for things to slip through the cracks. Default passwords that were never changed, old admin accounts left active, or forgotten servers that no-one tracks. These leftovers, often referred to as “security debt,” are exactly what attackers look for.  

If these issues aren’t addressed quickly, bad actors can use them as backdoors into networks, sometimes lingering for months—or even years—before anyone notices. The longer these loose ends stick around, the more difficult and costly it becomes to contain and remediate attacks.  

Inherited Vulnerabilities and Missing Inventories  

Post-acquisition, keeping track of what systems and assets have been acquired is easier said than done. There might be a forgotten server that hasn’t been patched in years or a device that never made it onto the official asset list.  

Without a complete and accurate inventory, defenders are left flying blind, unaware of what’s really on the network. Attackers, however, thrive in this chaos. They exploit these overlooked systems, move quietly, escalate their access, and steal data—all while staying undetected. The longer these gaps persist, the greater the risk of a costly and damaging breach.  

Mix-and-Match Security Practices  

Bringing two companies together doesn’t just mean combining teams, it also means reconciling two entirely different sets of security tools, policies, and monitoring systems. This process almost always leaves gaps, as inconsistencies and incompatibilities create weak points in organizations’ defenses.  

Attackers like Akira are quick to spot these vulnerabilities. They can move throughout the organization with much less resistance and deploy ransomware on a much larger scale. The fallout? Widespread disruption, prolonged downtime, and significant damage to your company’s reputation if an attack occurs.  

The big takeaway is that M&A isn’t just about merging companies—it’s about merging all their security baggage. Finding and fixing these blind spots as early as possible is key to keeping attackers like Akira from turning your vulnerabilities into their advantages.

Step Up Your Defenses Against Akira Ransomware 

The strategies below are designed to help you detect and defend against Akira ransomware, but they’re just as effective for combating other ransomware groups targeting smaller organizations. 

ReliaQuest’s Approach 

GreyMatter Discover automatically inventories every device in your merged environment, helping you quickly identify blind spots and misconfigured systems after an acquisition.  

GreyMatter’s agentic AI adds context to alerts from newly acquired assets, so you can confidently separate real threats from false alarms in complex environments. 

ReliaQuest detection rules are continuously updated to identify the latest tactics and signs of an Akira breach, so you can stay ahead. 

Akira’s attacks move fast, exploiting inherited accounts, unmanaged endpoints, and monitoring gaps during M&A. Used in conjunction with detection rules, GreyMatter Automated Response Playbooks are purpose-built to disrupt these tactics and close the window of opportunity for attackers: 

  • Isolate Host: Instantly quarantine compromised endpoints to stop Akira from moving laterally across newly merged networks. 

  • Disable User: Automatically revoke access for users showing suspicious activity, especially those leveraging inherited or privileged accounts post-acquisition. 

  • Reset Credentials: Trigger immediate password resets for abused accounts during integration to block Akira’s attempts to escalate privileges or maintain persistence.

Your Action Plan 

To strengthen your defenses and reduce the risk of compromise, focus on these key areas: 

  • Prioritize SonicWall Patch Management and Configuration Audits: Akira ransomware rapidly exploits SonicWall devices with unpatched vulnerabilities or default configurations to gain initial access, especially in smaller businesses’ environments post-M&A. Establish a continuous patch management program for all remote access appliances and conduct regular configuration reviews to eliminate default credentials and insecure settings. This proactive approach removes Akira’s preferred entry points and minimizes the risk of high-speed compromise. 

  • Implement Rigorous Credential Hygiene and Access Controls: Akira thrives on weak, stale, or excessive credentials inherited during M&A. Enforce strong password policies, mandate multifactor authentication (MFA) for all remote and privileged accounts and routinely audit for unused or risky credentials. These controls disrupt Akira’s ability to escalate privileges and move laterally through newly integrated environments.  

  • Continuously Discover and Monitor Inherited Assets: Shadow IT and unmanaged endpoints, common in acquired businesses during M&A, create blind spots for Akira to exploit. Deploy automated asset discovery tools and establish continuous monitoring to identify all network-connected devices, especially those overlooked during integration. Proactive visibility prevents Akira from exploiting unknown systems and exfiltrating data at speed.

Key Takeaways and What’s Next 

Akira’s campaign highlights the threat posed by ransomware groups that specialize in exploiting overlooked vulnerabilities in newly acquired environments. By methodically using repeatable techniques—such as credential brute-forcing, exploiting low-cost remote access solutions, and targeting unmanaged hosts—Akira has demonstrated a dangerous level of efficiency and impact to M&A organizations looking to expand their businesses. 

Organizations must remain vigilant for signs of credential testing, unusual remote access, and ransomware deployment, particularly in environments where integration is ongoing and asset inventories may still be incomplete. 

Looking ahead to the rest of 2025 and beyond: 

Integration Discipline and Visibility Will Be Key: As ransomware groups continue to evolve and accelerate their operations, organizations should prioritize real-time asset discovery, enforce rigorous credential audits, and ensure that all inherited systems are updated and monitored from day one of integration. Regularly reviewing remote access controls, patching legacy software, and deploying automated monitoring tools will help close visibility gaps and reduce attackers’ window of opportunity. 

Ransomware Groups Will Likely Double Down on M&A Targets: Ransomware risk for M&A organizations is likely to grow as threat actors refine what works. The result will be broader and faster-moving attacks, with more groups likely to copy Akira’s proven playbook to automate exploitation of overlooked, low-cost technologies. In October 2025 alone, the group compromised over 70 victims by exploiting public-facing devices like SonicWall SSL VPNs. This level of efficiency and reward is likely to inspire other ransomware groups to adopt similar strategies, intensifying competition and increasing the overall impact of these campaigns.