Executive Summary

The Akira ransomware group is capitalizing on the chaos of corporate mergers and acquisitions (M&A) to infiltrate enterprise networks. Research from ReliaQuest reveals a pattern where Akira affiliates target acquiring companies by exploiting vulnerable SonicWall SSL VPN appliances. These devices are often inherited from the smaller, acquired company and are frequently unknown, unmanaged, and unpatched by the new parent organization's IT department. This creates a critical security gap, allowing attackers to establish an initial foothold. The subsequent attack is swift, with threat actors moving from lateral movement to full ransomware deployment in under an hour.

Threat Overview

The tactic observed between June and October 2025 highlights a sophisticated understanding of enterprise IT challenges. During an M&A event, the integration of two distinct networks is a complex process fraught with security risks. The Akira group exploits this by targeting a common scenario: a larger enterprise acquires a small or medium-sized business (SMB) that uses SonicWall SSL VPNs for remote access. The acquiring organization's asset inventory is often incomplete, leaving these legacy devices as forgotten, unpatched entry points.

The attack chain typically follows these steps:

1. Initial Access: Attackers identify and exploit a known vulnerability in an unpatched SonicWall SSL VPN appliance belonging to the acquired company, which is now connected to the acquirer's network. This aligns with T1190 - Exploit Public-Facing Application.
2. Credential Access: The attackers use 'zombie' privileged credentials—accounts that were transferred during the acquisition but are no longer actively managed or monitored. This is a form of T1078 - Valid Accounts.
3. Defense Evasion: If Endpoint Detection and Response (EDR) solutions are present, the attackers attempt to disable them. A common technique observed is DLL sideloading to bypass security controls, mapping to T1574.002 - DLL Side-Loading.
4. Lateral Movement & Impact: With privileged access and disabled defenses, the attackers move rapidly across the network to identify and encrypt critical assets. The final ransomware deployment (T1486 - Data Encrypted for Impact) occurs in less than an hour after initial lateral movement, indicating a highly automated or well-rehearsed operation.

Technical Analysis

The success of this campaign hinges on operational security failures within the victim organizations. The lack of a comprehensive asset inventory post-merger is the primary enabler. Attackers are not necessarily using zero-day exploits but are capitalizing on poor patch management and security hygiene.

The use of default or predictable hostnames for the SonicWall devices makes them easy for attackers to discover through internet-wide scanning. Once inside, the immediate search for privileged accounts suggests the attackers are following a standard ransomware playbook, prioritizing speed to impact. The attempt to disable EDR is a critical step that allows them to operate without triggering alarms during the final, noisy stages of the attack.

MITRE ATT&CK Techniques Observed

Impact Assessment

The primary impact is financial and operational disruption due to ransomware. However, this attack vector highlights a significant systemic risk for any organization involved in M&A. The acquiring company inherits not only the assets of the acquired firm but also its security debt. The failure to conduct thorough cybersecurity due diligence and rapid network integration can lead to a breach that affects the entire, larger enterprise. The speed of the attack—under an hour from movement to encryption—leaves security teams with almost no time to react, making proactive defense essential.

Cyber Observables for Detection

Organizations undergoing M&A should be on high alert for these indicators:

Detection & Response

• Asset Inventory: The first step is to know what you own. Conduct immediate and comprehensive network scans to identify all devices, especially internet-facing ones, inherited through an acquisition. This is a foundational aspect of security.
• Log Aggregation: Ingest logs from all newly acquired devices, including SonicWall VPNs, into a central SIEM. Create alerts for logins from dormant or legacy accounts. This aligns with D3-LAM - Local Account Monitoring.
• EDR Tamper Protection: Ensure that EDR solutions have tamper protection enabled to prevent attackers from easily disabling them. Alert on any attempts to stop or modify security agent services. This is a key feature of D3-PH - Platform Hardening.

Mitigation

The core of this issue is a failure of process during M&A. Cybersecurity due diligence must be a top priority.

1. M&A Cybersecurity Playbook: Develop and enforce a strict cybersecurity integration plan for all M&A activities. This must include immediate asset discovery, vulnerability scanning, and patching of all inherited systems before they are connected to the corporate network. This falls under M1051 - Update Software.
2. Network Segmentation: Isolate the acquired company's network from the main corporate network until a full security assessment and remediation have been completed. Use a firewall to strictly control all traffic between the two environments. This is a direct application of M1030 - Network Segmentation.
3. Identity and Access Management (IAM) Integration: Immediately integrate or decommission the acquired company's user accounts. Disable all legacy privileged accounts and enforce the acquiring company's password policies and MFA requirements. This relates to M1018 - User Account Management.
4. Assume Breach: Treat all inherited devices and networks as potentially compromised until proven otherwise. Deploy EDR agents and network sensors throughout the acquired environment as soon as possible.