Corporate predators get more than they bargain for when their prey runs SonicWall firewalls
Summary
ReliaQuest has analysed a series of Akira ransomware intrusions (June–October 2025) and found a recurring pattern: attackers compromised SonicWall SSL VPN appliances in smaller companies, and those compromised devices were then inherited by acquirers during mergers and acquisitions. The acquiring organisations were often unaware of the presence of these devices, leaving critical vulnerabilities exposed.
After gaining initial access via SonicWall flaws or misconfigurations, Akira affiliates hunted for privileged, legacy or zombie credentials transferred during the acquisition, located domain controllers quickly (often within hours), and exploited hosts with default/predictable names and missing endpoint detection to deploy ransomware with little resistance.
Key Points
- Akira exploited buggy SonicWall SSL VPN appliances and misconfigurations to gain initial access to networks.
- Compromised SonicWall devices in acquired companies provided a pivot into larger acquiring enterprises.
- Attackers searched for legacy or unmanaged privileged credentials carried over in M&A and used them to reach domain controllers rapidly (average 9.3 hours).
- Default or predictable hostnames and absent endpoint detection increased the speed and success of lateral movement and encryption (lateral-to-ransomware averaged under an hour).
- When endpoint protection existed, attackers attempted to disable it (eg, DLL sideloading); lack of EDR made detection and containment far harder.
Context and relevance
This story highlights an underappreciated M&A risk: technical debt and legacy appliances can carry active compromises into new parent networks. SonicWall SSL VPN devices remain common in smaller organisations — exactly the firms often acquired — making them a frequent vector for supply- and acquisition-related infections.
For CISOs, IT teams and deal teams, the implications are practical: include thorough security discovery, credential hygiene, asset inventory and endpoint verification as mandatory parts of due diligence and post-merger onboarding to avoid inheriting a breach.
Why should I read this?
Look — if you do deals or run IT, this is the sort of pain you don’t want landing on your desk after signatures. The article shows exactly how attackers turn sloppy M&A practices and forgotten SonicWall boxes into a fast route to domain controllers and encryption. Read it so you can stop someone else’s crisis from becoming yours.