- ReliaQuest warns that Akira ransomware is often spread through compromised assets inherited through mergers and acquisitions
- Most infections come from unpatched SonicWall SSL VPN devices, which are exploited for lateral movement and encryption.
- SonicWall recently patched CVE-2025-40601, a high severity buffer overflow vulnerability affecting Gen7 and Gen8 firewalls.
Companies buy and sell other companies all the time, but regardless of customers, revenue, a diverse market or talented employees, buyers often encounter something unexpected when they take control: a ransomware infection.
Cybersecurity researcher ReliaQuest recently published a new report on how the Akira ransomware infects its victims. We found that every attack analyzed between June and October 2025 infected the company through a previously acquired asset that already contained compromised hardware on the network.
“In these cases, the purchasing companies were unaware of the presence of these devices in their new environments, exposing critical vulnerabilities,” the blog reveals.
What happened first: an infection or an acquisition message?
Mostly, Akira compromised SonicWall’s unpatched SSL VPN equipment, according to the report, after it was revealed in mid-July 2025 that a potential new vulnerability in Akira’s VPN solutions was exploited to connect, move laterally, and implement an encryption mechanism.
In late September, several security services warned of infiltration of SonicWall SSL VPN devices, even though the devices were patched and users had MFA enabled.
The company has also released a patch for a serious security flaw in its SonicOS SSL VPN service and is urging all users to update their firewalls immediately.
In a security advisory, SonicWall says it has discovered a stack-based buffer overflow vulnerability, which could allow an unauthenticated remote attacker to cause a Denial of Service (DoS), causing the firewall to crash.
The vulnerability is now tracked as CVE-2025-40601 and has been given a severity rating of 7.5/10 (high). It affects Gen8 and Gen7 firewalls, both hardware and virtual. Previous models, such as Gen6 firewalls or the SMA 1000 and SMA 100 series SSL VPN products, were believed to be immune to this flaw.
It is unclear if Akira operators targeted the companies because they had been acquired or if they were simply compromised because they had vulnerable equipment and then acquired.
IN the record