Akira Ransomware Is Hunting Exposed VPNs — Why MSPs Are in the Blast Radius

Akira is one of the most active ransomware operations targeting small and midsize businesses, and the managed service providers (MSPs) that support them. CISA's joint advisory #StopRansomware: Akira Ransomware (AA24-109A), originally published in April 2024 and updated since, documents how Akira actors gain initial access: most often through VPN services that lack multifactor authentication, by stealing valid credentials, or by exploiting known vulnerabilities. The advisory names flaws in Cisco appliances — including CVE-2020-3259, CVE-2023-20269, and CVE-2020-3589 — and a SonicWall access-control flaw, CVE-2024-40766, as paths Akira has abused. Remote Desktop Protocol (RDP) and spear-phishing round out their playbook.

Through 2025, security firms reported a marked surge in Akira activity tied to SonicWall SSL VPN logins, with some intrusions moving from initial VPN access to encryption in a matter of hours. Reporting also indicates the FBI has placed Akira among the most prevalent ransomware variants hitting U.S. businesses. (Figures dated after early 2026 are attributed to the reporting outlets below rather than asserted as settled.)

Why this hits MSPs especially hard

An MSP's remote-access edge — VPN concentrators, firewalls, RDP gateways — is exactly the exposed surface Akira probes. Compromise one MSP and an attacker can pivot across many downstream clients at once. The common thread in nearly every Akira case is an internet-facing service that was reachable, unpatched, or missing MFA.

The defensible first move

You can't protect what you can't see. The first step against this pattern is knowing exactly what of yours is exposed: which VPN, RDP, and firewall services answer from the public internet, and whether any are running versions tied to known-exploited CVEs. A quick external attack-surface analysis surfaces those first — the same things Akira's operators see when they scan you.