Akira Ransomware Via SonicWall And Search-Poisoned Downloads

In mid‑2025, cybersecurity teams observed two sophisticated campaigns delivering Akira ransomware through distinctly different techniques. One involved misused Windows drivers following SonicWall VPN compromises; the other leveraged poisoned search results, leading to malware-laden IT tools being dropped onto targeted machines. Both campaigns highlighted the rapid and devastating capabilities of Akira intrusions on organizations worldwide.

Covering the first campaign mentioned above, GuidePoint Security uncovered an alarming attack vector. Attackers sometimes breached organizations via SonicWall SSL VPNs, even fully patched ones, and bypassed multifactor authentication entirely. Researchers suspect a zero-day vulnerability in the VPN appliance, though unauthorized access credentials remain an alternative possibility.

Once inside, attackers deployed two legitimate-sounding Windows drivers with a twist:

• rwdrv.sys: Originally part of CPU tweaking software (ThrottleStop). Attackers registered it as a Windows service to gain deep, kernel-level access.
• hlpdrv.sys: This driver tampered with Windows Defender settings by editing the registry to disable anti-spyware protection, using regedit.exe, helping the malware to bypass Windows Defender effectively

GuidePoint saw these drivers repeatedly in Akira-related incidents and released a YARA rule to help defenders detect their use and hunt for potential compromise.

The second unique Akira delivery method involved attackers rigging search results to lure users into downloading modified software. The software then did what malicious software always does: silently installed malware. Researchers noted that in July 2025, a user searching for "ManageEngine OpManager" on Bing landed on a fake installer from a malicious domain—opmanager[.]pro, disguised as the real tool.

This discovery by The DFIR Report showed that a trojanized installer installed the legitimate OpManager software while injecting the Bumblebee malware, via msimg32.dll through consent.exe, granting attackers initial access. Within five hours, the attackers deployed AdaptixC2, creating a second command-and-control channel to orchestrate internal reconnaissance and credential harvesting.

After probing the environment using Windows tools, like systeminfo, nltest, whoami, and net group domain admins, threat actors created privileged accounts named backup_DA or backup_EA, then escalated privileges, and dumped sensitive data from a domain controller using WBAdmin.

They installed RustDesk for persistence, established an SSH reverse tunnel, scanned the network with a renamed SoftPerfect tool, and attempted credential theft from a Veeam backup server. This is all done before the ransomware module is installed and encryption begins.

Further, threat actors used FileZilla to exfiltrate data over SSH File Transfer Protocol (SFTP) using the previously setup SSH reverse tunnel. This is followed by the attacker dumping credentials from memory via rundll32.exe. Their assault culminated in deploying the Akira ransomware using locker.exe, encrypting data across the root domain. Attackers will then pause the attack for two days, then they target a child domain with additional reconnaissance and another wave of encryption.

The overall timeline—from initial infection to first ransomware deployment—took just 44 hours, or under nine hours in the case observed by Swisscom B2B CSIRT. Moreover, the DFIR Report noted that the campaign wasn't isolated: other organizations saw similar SEO-poisoning attacks using tools like Axis Camera software and Angry IP Scanner, soon followed by Bumblebee and Akira ransomware.

Akira's Rapid Adoption of New Tactics

These two differing attack methodologies showcase evolving tactics from ransomware groups like Akira. Lessons learnt from these attacks show that infrastructure defenders need to apply specific points to their Akira threat intelligence, these include:

• Abusing trusted components: whether standard system drivers or legitimate-looking admin tools, is instrumental to evading detection.
• Initial access to encryption in record time: attackers quickly escalate, move laterally, and lock systems in under 48 hours.
• Layered defenses don't always stop threat actors: patched systems, MFA, endpoint protection, and VPNs can be bypassed using creative attack methods. However, these measures are not redundant and should be adopted by organizations.

Both GuidePoint and the DFIR Report have provided several recommended mitigation measures. To guard against these threats, organizations should consider the following steps:

Harden VPNs:

• Disable SonicWall SSL VPNs when feasible.
• Restrict access to known, trusted IPs.
• Enable Botnet Protection and Geo‑IP filtering.
• Use strong, preferably hardware-based MFA.
• Clean up unused and inactive user accounts.

Deploy driver detection:

• Use GuidePoint's YARA rule to scan for rwdrv.sys and hlpdrv.sys.
• Investigate any occurrence of these drivers, especially together.

Hunt for poisoned installer activity:

• Monitor for downloads of .msi files from user directories that spawn suspicious processes like consent.exe or load msimg32.dll.
• Track quick sequences of reconnaissance, credential dumps, persistence mechanisms, and remote tunnels.

Tune logging and detection:

• Watch for domain account creation, especially prefixed like backup_*, followed by rapid high-privilege access.
• Alert on SSH reverse tunnels or RustDesk installations.
• Monitor LSASS dumps, exfiltration tools (like FileZilla), and unusual remote access behavior.

Both campaigns illustrate how attackers like the Akira group innovate. Whether exploiting trusted VPN infrastructure or deceiving users into downloading poisoned software, they infiltrate environments, escalate privileges, exfiltrate data, and deploy ransomware with remarkable speed.

By combining vigilance, proactive scanning (using tools like YARA and Sigma), strict access controls, and behavioral detection, defenders can better detect and interrupt these stealthy intrusions before they cause irreversible damage.