Akira Ransomware Revives SonicWall Flaw CVE-2024-40766, Uses ‘UnPAC the Hash’ to Breach Networks
Ddos 
Image: Fortinet
Between July and August 2025, global security teams have observed a resurgence in Akira ransomware incidents targeting organizations through SonicWall SSL VPN appliances, marking a renewed exploitation of a vulnerability first disclosed more than a year ago — CVE-2024-40766.
According to Darktrace’s Threat Research Team, the attacks represent a coordinated campaign exploiting unpatched or misconfigured SonicWall devices to gain initial access, followed by lateral movement, credential harvesting, and data exfiltration.
The campaign’s success stems from organizations that failed to patch SonicWall devices or left configurations vulnerable. CVE-2024-40766, classified as an improper access control flaw, affects SonicOS versions 7.0.1-5035 and earlier, spanning Gen 5, Gen 6, and Gen 7 SonicWall devices.
While the vulnerability was patched in August 2024, Darktrace notes that Akira affiliates continue to exploit both unpatched devices and reused credentials from prior breaches.
“Almost a year later, the same vulnerability is being actively targeted again by the Akira ransomware group… even if SonicWall devices were patched, threat actors could still target them by reusing previously stolen credentials and exploiting other misconfigurations.”
First observed in March 2023, Akira ransomware has rapidly evolved into one of the most aggressive Ransomware-as-a-Service (RaaS) operations, known for double extortion tactics that combine encryption with data theft.
The group’s Linux variant specifically targets VMware ESXi hypervisors — allowing them to encrypt entire virtualized environments in one move.
“The ransomware initially targeted Windows systems, but a Linux variant was later observed targeting VMware ESXi virtual machines… encrypting the ESXi file system enables rapid and widespread encryption with minimal lateral movement or credential theft.”
The group’s global reach continues to expand across manufacturing, education, and healthcare sectors, impacting victims in North America, Latin America, Europe, and the Asia-Pacific region.
On August 20, 2025, Darktrace’s Managed Detection and Response (MDR) team intercepted an ongoing intrusion within a U.S.-based customer’s network. The compromised system was identified as a SonicWall VPN server, part of the broader Akira ransomware campaign.
Darktrace’s AI-driven analytics observed multiple stages of compromise, including:
- Network reconnaissance using Advanced IP Scanner and SoftPerfect tools
- Lateral movement via WinRM and RDP to domain controllers and ESXi hosts
- Credential theft through a Kerberos-based “UnPAC the Hash” technique
- Data exfiltration to known Akira-associated SSH endpoints
The attackers leveraged a rare Kerberos abuse method called “UnPAC the Hash”, where a legitimate Active Directory certificate is used during PKINIT pre-authentication to extract NTLM hashes.
“Darktrace’s researchers believe the activity demonstrates a credential access technique known as ‘UnPAC the hash’… allowing the client to use an X.509 certificate to obtain a Ticket Granting Ticket (TGT) instead of a password.”
Darktrace detected 15 distinct administrative credentials being accessed during the intrusion — highlighting the actor’s intent to escalate privileges and move laterally.
As the attack progressed, Darktrace identified outbound connections from compromised systems to the temp[.]sh domain — a temporary file-hosting service commonly abused for payload delivery. Subsequent traffic involved the download of a suspicious executable named “vmwaretools” from the IP address 137.184.243[.]69, using the Wget user agent — activity consistent with command-and-control (C2) behavior.
Soon after, both the SonicWall device and domain controller began exfiltrating approximately 2 GB of data via SSH to 66.165.243[.]39, a known Akira ransomware indicator of compromise (IoC).
Darktrace’s SOC later identified at least three additional incidents across U.S. organizations that shared overlapping TTPs. All involved SonicWall VPN exploitation and SSH data exfiltration to the same ASN (AS29802 HVC-AS) — the same network infrastructure seen in the original case.
Related Posts:
- Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
- SonicWall Issues Urgent Patch for Critical Firewall Vulnerability (CVE-2024-40766)
- SonicWall Confirms Critical CVE-2024-40766 Vulnerability Actively Exploited in the Wild
- SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign
- Microsoft Alerts of Novel SQL Server-Based Lateral Cloud Movement
Donate