- ReliaQuest warns that Akira ransomware is often spread via compromised assets inherited during mergers and acquisitions
- Most infections originate from unpatched SonicWall SSL VPN appliances, exploited for lateral movement and encryption
- SonicWall recently patched CVE-2025-40601, a high severity buffer overflow vulnerability affecting Gen7 and Gen8 firewalls
Companies buy and sell other companies all the time, but in addition to the customers, earnings, another market or talented employees, buyers often also get something unexpected with their acquisition – a ransomware infection.
Cybersecurity researchers ReliaQuest recently published a new report on how Akira ransomware infects its victims, noting that in every attack it analyzed between June and October 2025, the company was infected through an asset it had previously acquired that had already compromised hardware in its network.
“In these cases, the acquiring companies were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed,” the blog reveals.
What came first – infection or acquisition news?
Most of the time, Akira compromised unpatched SonicWall SSL VPN appliances, the report found, after news broke in mid-July 2025 of a possible new vulnerability in the VPN solutions being abused by Akira to log in, move laterally and implement an encryption.
In late September, several security tools warned of infiltration of SonicWall SSL VPN devices, despite the fact that the devices had been patched and users had MFA enabled.
The company has also released a patch for a serious vulnerability in its SonicOS SSL VPN service and urged all users to update their firewalls immediately.
In a security advisory, SonicWall said it discovered a stack-based buffer overflow vulnerability that allows a remote, unauthorized attacker to cause a Denial of Service (DoS) and essentially crash the firewall.
The vulnerability is now tracked as CVE-2025-40601 and received a severity score of 7.5/10 (high). It affects Gen8 and Gen7 firewalls, both hardware and virtual. Earlier models, such as Gen6 firewalls or the SMA 1000 and SMA 100 series SSL VPN products, are said to be safe from this flaw.
It was left unclear whether Akira’s operators targeted companies because they were acquired, or if they were simply compromised because they were running vulnerable equipment and happened to be acquired later.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
