Recent findings from Barracuda Managed XDR reveal a surge in ransomware attacks targeting unpatched SonicWall VPNs and compromised Microsoft 365 accounts. Analysts also detected increased use of Python-based automation to execute malicious tools and evade detection.

Akira Ransomware Exploiting VPN Vulnerabilities

The ransomware-as-a-service group Akira continues exploiting outdated SonicWall VPN devices. Although Barracuda issued an advisory in August 2025, attacks persist as threat actors refine their methods and maintain a high risk level.

Attackers exploit CVE-2024-40766, a flaw patched more than a year ago. Many organisations remain vulnerable due to delayed updates or the reuse of stolen credentials captured before patching. By intercepting one-time passwords (OTPs) and generating valid tokens, adversaries bypass multi-factor authentication (MFA) even on updated systems.

Once inside, Akira operators move quickly from infiltration to encryption. They frequently employ legitimate remote-monitoring and management (RMM) tools to blend in with normal IT activity, disable security products, and cripple backup solutions to prevent data recovery.

Barracuda analysts warn that Akira’s agility, combined with poor patch adoption and credential reuse, makes it one of today’s most persistent ransomware threats.

Growing Use of Python-Based Attack Automation

Barracuda SOC teams report an uptick in attacks using Python scripts to run tools such as Mimikatz, PowerShell-based payloads, and credential-stuffing frameworks. Threat actors leverage automation to speed up execution, mask malicious actions, and minimise manual interaction that might trigger alerts.

Automating attacks with Python enables simultaneous tasks — vulnerability scanning, credential testing, and data extraction — increasing efficiency while narrowing defenders’ response windows. Parallel execution allows attackers to identify weaknesses and exfiltrate information almost instantly.

Spike in Microsoft 365 Account Compromises

In addition, analysts observed a sharp rise in unusual sign-ins targeting Microsoft 365. These include logins from unexpected locations or devices, and at hours inconsistent with normal user behaviour — strong evidence of credential compromise.

The rise mirrors the growing adoption of Microsoft 365 as a central enterprise platform. Attackers exploit weak account protections to gain persistent access to mailboxes, shared drives, and collaboration environments, turning legitimate tools into vehicles for long-term intrusion.

Barracuda advises all organisations to patch vulnerable VPNs immediately, enforce strong authentication, monitor for suspicious access patterns, and restrict unapproved scripting to reduce Python-based automation abuse.