Image by Clint Patterson. From Unsplash

Akira Ransomware Exploits SonicWall VPN Accounts

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

The Akira ransomware group has started attacking SonicWall firewalls across the globe, via stolen login information and security weaknesses, to bypass MFA and encrypt networks.

In a rush? Here are the quick facts:

• Akira ransomware exploits SonicWall firewalls since July 2025.
• Attackers use stolen credentials and MFA bypass to gain access.
• MySonicWall cloud backup incident adds to security concerns.

Arctic Wolf Labs has identified a new wave of ransomware attacks which target SonicWall firewalls, with intrusions beginning in late July 2025, and continuing to this day. The campaign uses stolen login credentials together with a serious security vulnerability to bypass security systems.

“Threat actors obtained initial access through malicious SSL VPN logins with successful OTP Multi-Factor Authentication (MFA) challenge, and deployed Akira ransomware,” Arctic Wolf explained. Attackers performed network scanning operations followed by lateral movement through Impacket and encryption of data within a short time frame.

The hackers are believed to be exploiting CVE-2024-40766, an “improper access control vulnerability” first disclosed in 2024. Attackers who have stolen login credentials can still exploit patched devices as the security of these devices remains at risk.

SonicWall has confirmed that compromised login credentials continue to function across various SonicOS system versions.

Adding to the concerns, SonicWall recently acknowledged an unrelated incident involving its MySonicWall cloud backup service. The company said it was not a ransomware attack, but “the full extent of this breach may not yet be fully known.”

The victim base reaches various sectors, according to Arctic Wolf, because attackers carry out “opportunistic mass exploitation.” The group observed that attackers managed to bypass MFA security measures, though the exact method remains unclear.

With ransomware “dwell time” measured in just hours, experts say early detection is critical. Arctic Wolf advised organizations to watch for suspicious VPN logins from hosting providers and anomalous SMB activity.

“Because dwell time is typically measured in hours, detecting and disrupting the activity early is essential to prevent ransomware encryption and data theft,” the company warned.

Image by BBC Creative, from Unsplash

Hackers Steal Data Of 8,000 Children In London Nursery Cyberattack

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

A group of cybercriminals has stolen highly sensitive data from Kido International, a nursery chain with 18 sites in London, exposing information on more than 8,000 children and their families.

In a rush? Here are the quick facts:

• Stolen data includes names, photos, addresses, and safeguarding reports.
• Radiant threatened to release 30 more child profiles and 100 staff.
• Some parents received ransom threats directly by phone and email.

The hackers, who call themselves Radiant, published a sample of 10 children’s profiles on their dark web site, including names, photos, addresses, and family details.

They claim to also hold safeguarding reports, billing information, and accident records. “Next steps for us will be to release 30 more profiles of each child and 100 employees’ private data,” the group threatened online, as reported by The Guardian .

Radiant has demanded payment and even contacted some parents directly by phone and email, warning them their child’s data could be posted unless pressure was put on Kido to pay, reported The Guardian.

One parent told the BBC : “The nursery told us very quickly […] My partner actually works in cyber-security and we understand these things happen. But we do feel the nursery has handled it well.” Another, Bryony Wilde, said: “They are kids – their personal details shouldn’t be worth anything.”

The BBC reports that group described itself as conducting a “pentest,” a penetration test normally done with permission, but admitted that “of course” it’s about money

Speaking to Reuters , they also claimed to be based in Russia but provided no evidence.

The cyber security experts strongly criticized the attack. Jonathon Ellison of the UK’s National Cyber Security Centre said it was “a particularly egregious act,” as reported by the BBC.

Kido confirmed it had informed families and authorities, and is working with forensic specialists. Reuters reports that the Metropolitan Police said: “Enquiries are ongoing and remain in the early stages within the Met’s Cyber Crime Unit.”