Akira Ransomware Revives SonicWall Flaw CVE-2024-40766, Uses ‘UnPAC the Hash’ to Breach Networks
Ddos 
Image: Fortinet
Between July and August 2025, global security teams have observed a resurgence in Akira ransomware incidents targeting organizations through SonicWall SSL VPN appliances, marking a renewed exploitation of a vulnerability first disclosed more than a year ago β CVE-2024-40766.
According to Darktraceβs Threat Research Team, the attacks represent a coordinated campaign exploiting unpatched or misconfigured SonicWall devices to gain initial access, followed by lateral movement, credential harvesting, and data exfiltration.
The campaignβs success stems from organizations that failed to patch SonicWall devices or left configurations vulnerable. CVE-2024-40766, classified as an improper access control flaw, affects SonicOS versions 7.0.1-5035 and earlier, spanning Gen 5, Gen 6, and Gen 7 SonicWall devices.
While the vulnerability was patched in August 2024, Darktrace notes that Akira affiliates continue to exploit both unpatched devices and reused credentials from prior breaches.
βAlmost a year later, the same vulnerability is being actively targeted again by the Akira ransomware groupβ¦ even if SonicWall devices were patched, threat actors could still target them by reusing previously stolen credentials and exploiting other misconfigurations.β
First observed in March 2023, Akira ransomware has rapidly evolved into one of the most aggressive Ransomware-as-a-Service (RaaS) operations, known for double extortion tactics that combine encryption with data theft.
The groupβs Linux variant specifically targets VMware ESXi hypervisors β allowing them to encrypt entire virtualized environments in one move.
βThe ransomware initially targeted Windows systems, but a Linux variant was later observed targeting VMware ESXi virtual machinesβ¦ encrypting the ESXi file system enables rapid and widespread encryption with minimal lateral movement or credential theft.β
The groupβs global reach continues to expand across manufacturing, education, and healthcare sectors, impacting victims in North America, Latin America, Europe, and the Asia-Pacific region.
On August 20, 2025, Darktraceβs Managed Detection and Response (MDR) team intercepted an ongoing intrusion within a U.S.-based customerβs network. The compromised system was identified as a SonicWall VPN server, part of the broader Akira ransomware campaign.
Darktraceβs AI-driven analytics observed multiple stages of compromise, including:
- Network reconnaissance using Advanced IP Scanner and SoftPerfect tools
- Lateral movement via WinRM and RDP to domain controllers and ESXi hosts
- Credential theft through a Kerberos-based βUnPAC the Hashβ technique
- Data exfiltration to known Akira-associated SSH endpoints
The attackers leveraged a rare Kerberos abuse method called βUnPAC the Hashβ, where a legitimate Active Directory certificate is used during PKINIT pre-authentication to extract NTLM hashes.
βDarktraceβs researchers believe the activity demonstrates a credential access technique known as βUnPAC the hashββ¦ allowing the client to use an X.509 certificate to obtain a Ticket Granting Ticket (TGT) instead of a password.β
Darktrace detected 15 distinct administrative credentials being accessed during the intrusion β highlighting the actorβs intent to escalate privileges and move laterally.
As the attack progressed, Darktrace identified outbound connections from compromised systems to the temp[.]sh domain β a temporary file-hosting service commonly abused for payload delivery. Subsequent traffic involved the download of a suspicious executable named βvmwaretoolsβ from the IP address 137.184.243[.]69, using the Wget user agent β activity consistent with command-and-control (C2) behavior.
Soon after, both the SonicWall device and domain controller began exfiltrating approximately 2 GB of data via SSH to 66.165.243[.]39, a known Akira ransomware indicator of compromise (IoC).
Darktraceβs SOC later identified at least three additional incidents across U.S. organizations that shared overlapping TTPs. All involved SonicWall VPN exploitation and SSH data exfiltration to the same ASN (AS29802 HVC-AS) β the same network infrastructure seen in the original case.
Related Posts:
- Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
- SonicWall Issues Urgent Patch for Critical Firewall Vulnerability (CVE-2024-40766)
- SonicWall Confirms Critical CVE-2024-40766 Vulnerability Actively Exploited in the Wild
- SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign
- Microsoft Alerts of Novel SQL Server-Based Lateral Cloud Movement
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
