- ReliaQuest warns that Akira ransomware often spreads via compromised assets inherited during mergers and acquisitions
- Most infections originate from unpatched SonicWall SSL VPN appliances exploited for lateral movement and encryption.
- SonicWall recently patched CVE-2025-40601, a high-severity buffer overflow vulnerability affecting Gen7 and Gen8 firewalls.
Companies buy and sell other companies all the time, but besides customers, profits, a different market or talented staff, buyers often get something unexpected with their acquisition: a ransomware infection.
Cybersecurity researchers ReliaQuest recently released a new report on how Akira ransomware infects its victims, noting that in every attack analyzed between June and October 2025, the company was infected via an asset it had previously acquired that had already compromised its network hardware.
“In these cases, the acquiring companies were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed,” the blog reveals.
What came first: infection or news of acquisition?
Most of the time, Akira compromised unpatched SonicWall SSL VPN devices, according to the report, after in mid-July 2025 news broke of a possible new vulnerability in VPN solutions used by Akira to connect, move laterally, and deploy an encryptor.
In late September, several security organizations were warning of infiltrations of SonicWall SSL VPN devices, although the devices had been patched and users had MFA enabled.
The company also released a patch for a high-severity vulnerability in its SonicOS SSL VPN service and urged all users to update their firewall immediately.
In a security advisory, SonicWall said it discovered a stack-based buffer overflow vulnerability that allows an unauthenticated, remote attacker to cause a denial of service (DoS) and essentially crash the firewall.
The vulnerability is now tracked as CVE-2025-40601 and has received a severity score of 7.5/10 (high). This impacts Gen8 and Gen7 firewalls, both hardware and virtual. Earlier models, such as Gen6 firewalls or the SMA 1000 and SMA 100 series SSL VPN products, were supposedly immune to this bug.
It is not clear whether Akira’s operators targeted the companies because they were in the process of being acquired, or whether they were simply compromised because they were using vulnerable hardware and were later acquired.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
