
In mid-2025, cybersecurity professionals observed a surge in ransomware activity linked to the Akira threat group. Two distinct delivery methods stood out: one exploited SonicWall SSL VPNs through potentially unknown vulnerabilities, and the other relied on search engine poisoning to trick users into downloading weaponized software installers. Both methods resulted in rapid ransomware deployment, data theft, and significant operational disruption across multiple organizations.
Both campaigns were analyzed in detail and while the attack methodologies between the campaigns were different, similar conclusions could be drawn. Their findings illustrate the technical sophistication and strategic agility of Akira-affiliated threat actors, who continue to combine trusted tools and fast execution to outpace standard defensive measures.
SonicWall SSL VPN Exploitation and the Bring Your Own Driver Technique
Security researchers documented multiple incidents in which attackers infiltrated corporate networks via SonicWall SSL VPNs. Notably, even fully patched appliances fell victim to compromise. In some cases, the intruders bypassed multifactor authentication (MFA), suggesting the presence of an undisclosed zero-day vulnerability. Alternatively, the attackers may have leveraged compromised credentials or session hijacking.
Once inside the network, Akira affiliates deployed a novel combination of two signed Windows drivers to disable security tools and gain high privileges. This technique, commonly referred to as Bring Your Own Vulnerable Driver (BYOVD), allowed the attackers to operate with minimal interference.
The two drivers used were:
- rwdrv.sys – Originally a legitimate driver from the ThrottleStop CPU management tool, it was loaded and registered as a Windows service. This gave the attackers kernel-level access.
- hlpdrv.sys – Used to tamper with Windows Defender settings by editing registry values via regedit.exe. This effectively disabled anti-spyware protections and opened the door for malware to operate undetected.
There is reported consistent use of these drivers across multiple Akira-related intrusions, and researchers have released YARA rules to assist defenders in identifying their presence in forensic investigations or live environments.
Poisoned Search Results and the Bumblebee–AdaptixC2 Chain
The second Akira delivery vector as highlighted above involved a carefully orchestrated search engine optimization (SEO) poisoning campaign. In one observed case, a user searching for “ManageEngine OpManager” via Bing landed on a malicious website (opmanager[.]pro) which mimicked the real software’s appearance. The fake installer contained both the legitimate OpManager software and embedded malware.
The installer delivered the Bumblebee loader, which executed via DLL side-loading. Specifically, it used msimg32.dll loaded by consent.exe, a trusted Windows process. Within five hours of the initial compromise, attackers deployed AdaptixC2, a custom command-and-control (C2) framework. This dual‑C2 setup allowed attackers to maintain persistent communication and orchestrate post-exploitation tasks.
The threat actors executed a wide range of activities in the short window before deploying ransomware:
- They ran reconnaissance commands including systeminfo, whoami, nltest, and net group domain admins.
- They created privileged accounts such as backup_DA and backup_EA to maintain access.
- Domain controller data was exfiltrated using WBAdmin, and additional lateral movement was facilitated by installing RustDesk for persistent remote access.
- A renamed version of SoftPerfect’s network scanner was used for host discovery.
- Attackers established an SSH reverse tunnel, providing covert remote access through the victim’s outbound traffic.
- Credential theft was attempted from a Veeam backup server, with additional credential harvesting from memory via rundll32.exe.
- FileZilla was used to exfiltrate sensitive files over SFTP, tunneled through the SSH connection.
Once sufficient data was gathered and lateral movement completed, the attackers launched the ransomware payload via locker.exe, encrypting systems across the root domain. Two days later, they returned to target a secondary domain, conducted further reconnaissance, and initiated another round of encryption.
The total time from initial infection to the first ransomware deployment was just 44 hours. In a similar campaign observed by another security firm, the timeline was reduced to less than nine hours. It needs to be noted that these incidents were not isolated; other victims reported identical initial vectors, including trojanized versions of software like Axis Camera tools and Angry IP Scanner.
The Challenge Posed by Akira’s Tactical Evolution
The two Akira campaigns highlight how modern ransomware actors evolve rapidly and blend techniques across traditional and emerging attack surfaces. These incidents underscore the importance of not just patching and hardening systems, but also anticipating creative misuse of legitimate components.
Defenders should take note of several recurring themes:
- Abuse of Trusted Software: Akira’s use of signed drivers and real administrative tools enables stealthy intrusion and security bypasses. BYOVD tactics remain effective because many EDR solutions implicitly trust signed binaries.
- Speed of Execution: Whether entering through a VPN appliance or poisoned installer, Akira actors move swiftly from initial access to ransomware deployment, often in under 48 hours.
- Defensive Limitations: Standard protections, patched systems, MFA, antivirus, and endpoint detection, can be bypassed with enough creativity and planning. These measures remain essential but insufficient alone.
Defensive Recommendations
Despite threat actors bypassing standard protections and abusing trusted software, actionable mitigation strategies can be implemented. Cybersecurity teams should consider the following:
VPN Hardening
- Temporarily disable SonicWall SSL VPN if feasible.
- Restrict VPN access to allow only trusted IP addresses.
- Enable botnet protection and Geo-IP filtering where supported.
- Use hardware-based MFA instead of TOTP wherever possible.
- Audit and remove inactive VPN accounts.
Driver Detection and Response
- Deploy YARA rules to detect the presence of rwdrv.sys and hlpdrv.sys.
- Investigate any use of these drivers, particularly if both are detected on a single host.
Installer Vetting and Execution Monitoring
- Monitor endpoints for the installation of .msi files from unknown directories.
- Watch for suspicious process chains involving consent.exe and DLL sideloading.
- Flag and analyze unusual persistence methods, such as RustDesk or SSH tunnels.
Credential and Privilege Monitoring
- Alert on creation of domain accounts with naming conventions like backup_*.
- Look for signs of LSASS memory access, token theft, or use of admin-level reconnaissance tools.
Exfiltration and Lateral Movement Detection
- Track the use of tools like FileZilla, WBAdmin, and SoftPerfect network scanner.
- Inspect outbound connections over unusual ports or to known VPS IP ranges.
Conclusion
The Akira ransomware group continues to demonstrate its adaptability, operational discipline, and preference for abusing trusted tools and infrastructure. Whether by subverting enterprise VPNs or poisoning search results, Akira affiliates strike quickly and quietly, often before defenders can react.
Cybersecurity professionals must approach detection and response with a blend of traditional and behavior-based techniques. By combining real-time monitoring, proactive threat hunting, and continuous review of access points, defenders can reduce the window of opportunity that actors like Akira so efficiently exploit.