In essence, the primary source of ransomware attacks is often traced back to remote-access tools.
In the ever-evolving landscape of cybersecurity, a new threat has emerged. According to cybersecurity insurance firm At-Bay, SonicWall SSL VPN devices are the most targeted VPNs for ransomware attacks in 2025, particularly by the Akira ransomware group.
The surge in attacks started around mid-2025 and involves either a likely zero-day vulnerability or credential-based attacks such as brute force, dictionary attacks, or credential stuffing. Even fully patched and updated SonicWall devices, some with multi-factor authentication enabled, have been compromised, indicating sophisticated exploitation methods.
The reason for this heightened vulnerability lies in the self-managed nature of these VPNs. They often rely on organization-controlled security configurations and patching cycles. If vulnerabilities go unpatched or if weak credential policies are enforced, attackers can exploit these flaws. Self-managed VPNs may not have the layered security protections or rapid automatic updates typical in cloud-managed VPN services.
Since these VPNs are directly exposed on the internet, threat actors can launch credential stuffing or brute force attacks leveraging leaked or weak credentials more easily. Attackers can leverage compromised VPN access to move quickly inside networks, escalating from initial VPN breach to ransomware deployment within a very short timespan.
In contrast, cloud-managed VPNs often benefit from centralized, automated, and regularly tested security controls that reduce the window of exposure to newly discovered vulnerabilities.
The consequences of these attacks are significant. They have a substantial impact on business continuity and data confidentiality, especially affecting sensitive HR and business data. Organizations using SonicWall SSL VPN or similar self-managed VPN solutions are advised to disable VPN services temporarily or enhance monitoring for suspicious login attempts from VPS-hosted environments while awaiting patches.
This shift in targeting is not a new phenomenon. In 2023, attackers primarily targeted self-managed VPNs, with organizations using self-managed VPNs by Cisco being 11 times more likely to fall victim to a direct attack. Remote-access tools accounted for 60% of ransomware attacks last year.
Rotem Iram, At-Bay founder and CEO, likens these attacks to an enemy going after the weak points in a city's defenses. He emphasizes that security is infinitely complex, but most of the attacks are predictable. Iram believes that the goal should be to bring the risk of technology adoption back to a level where an organization doesn't need to think twice about it.
Other notable victims of ransomware attacks linked to exploits of vulnerabilities include Boeing and Comcast, both impacted by attacks dubbed CitrixBleed. Vulnerabilities in devices sold by Barracuda, Cisco, Citrix, Fortinet, Ivanti, Palo Alto Networks, and others were widely exploited during the last year.
As At-Bay continues to monitor the situation, it is clear that organizations must remain vigilant and proactive in their cybersecurity measures, especially when it comes to self-managed VPNs.
References:
- Link to Source 1
- Link to Source 2
- Link to Source 3
- Link to Source 4
- Link to Source 5
- In 2025, SonicWall SSL VPN devices were identified as the most targeted VPNs for ransomware attacks, particularly by the Akira ransomware group, due to either a zero-day vulnerability or credential-based attacks.
- The heightened vulnerability of self-managed VPNs, such as SonicWall, lies in their reliance on organization-controlled security configurations and patching cycles, making them more susceptible to attacks if vulnerabilities go unpatched or weak credential policies are enforced.
- To mitigate the risk of ransomware attacks on self-managed VPNs, organizations are advised to either temporarily disable VPN services or enhance monitoring for suspicious login attempts while awaiting patches, or consider switching to cloud-managed VPN services that offer centralized, automated, and regularly tested security controls.
