Over the past two decades, I’ve watched enterprise security architectures evolve through multiple eras—flat networks, perimeter firewalls, distributed edge, zero trust, and hybrid cloud. Yet despite this evolution, one enduring truth remains: attackers will always gravitate toward weak points in the perimeter where authentication, visibility, and patch hygiene intersect. Over the last two years, few examples illustrate this better than the resurgence of Akira and LockBit ransomware campaigns targeting VPN and edge appliances. These operations have matured into highly efficient intrusion pipelines, blending credential theft, misconfiguration abuse, and rapid post-compromise escalation. Their success highlights a lesson many security teams still struggle with: when perimeter devices become blind spots, attackers gain an almost unfair advantage.
Akira and LockBit represent two distinct operational models, but they share an identical appreciation for the value of edge infrastructure. Both groups have learned to exploit gaps in VPN hardening, multi-factor authentication enforcement, dormant vulnerabilities in network appliances, and the operational debt that accumulates in companies with distributed IT management. For defenders, these campaigns offer a window into how threat actors genuinely work in the field—not in theoretical kill chains, but in the messiness of real enterprise networks where legacy gear, overextended IT teams, and inconsistent monitoring create the conditions for compromise.
How Attackers Leverage the Modern Perimeter
Before examining the campaigns themselves, it’s important to understand why VPN and edge appliances have become such attractive targets. During my years in red teaming and penetration testing, the perimeter was always the starting point, not because it was the easiest layer, but because compromising it yielded disproportionate access with comparatively little noise. What’s changed is that modern perimeter devices now blend authentication, routing, access control, and logging into a complex ecosystem that few organizations fully understand. This complexity becomes an operational attack surface.
From an attacker’s point of view, a VPN appliance is not just a gateway—it’s an identity broker, a credential repository, a visibility bottleneck, and often a misconfiguration gold mine. If MFA isn’t universally enforced, a stolen credential becomes a skeleton key. If logging isn’t centralized, post-authentication activity disappears into a void. If firmware is outdated, remote code execution or session hijacking becomes possible. For adversaries like Akira and LockBit affiliates, these appliances are the perfect blend of high-value access and low detection probability.
Akira’s Strategic Shift Toward VPN-Driven Intrusions
Akira emerged as a ransomware group with a relatively quiet footprint compared to the more theatrical criminal enterprises. Their early operations looked like traditional extortionware, but by late 2023, we began seeing a noticeable shift in their intrusion techniques. SOC analysts across multiple industries reported an uptick in incidents where VPN logs were the first and only source of truth, often showing legitimate credential use with no corresponding MFA challenge. This wasn’t a fluke—Akira had embraced credential-centric perimeter breaches.
In multiple investigations I participated in, we saw the same pattern: an initial login from an unusual geography using a valid VPN account with MFA disabled “temporarily” for troubleshooting. In one case, the account used belonged to a contractor who had left two years prior but whose access remained active. Once inside, Akira operators enumerated the network with quiet efficiency, relying primarily on living-off-the-land binaries to avoid detection. Their TTPs rarely triggered high-fidelity alerts because none of the activity was technically anomalous. The edge appliance had already authenticated them.
Akira’s operational discipline focuses less on exploiting cutting-edge vulnerabilities and more on exploiting the operational gaps that defenders overlook. Their success with VPN appliances proves that attackers don’t always need novel exploits—sometimes, they simply need a moment of configuration drift.
LockBit’s More Aggressive Perimeter Exploitation Model
LockBit, by contrast, has built an ecosystem refined through years of affiliate-driven expansion. Their operators are more willing to leverage vulnerabilities, often chaining credential compromise with weaponized exploits. They have repeatedly targeted Cisco ASA/FTD, SonicWall, and Fortinet devices, capitalizing on organizations that delay patching edge infrastructure or run unsupported firmware.
From an incident response perspective, LockBit compromises are unmistakably different from Akira’s. When we handled a LockBit engagement at a global manufacturing company last year, the intrusion began with exploitation of an unpatched firewall vulnerability that allowed remote command execution. The attackers immediately deployed scripts to harvest stored credentials, scan the internal network, and identify high-value hosts associated with engineering systems. The escalation was fast—not chaotic, but methodical. Within hours, domain controller interaction logs showed reconnaissance consistent with credential dumping attempts. LockBit affiliates understand the fragility of edge devices and move quickly once inside to maximize blast radius.
Yet both groups share a tactical appreciation for one foundational weakness: edge appliances often sit outside the security telemetry ecosystem. Even in mature enterprises with EDR coverage on every workstation and server, VPN devices may not send logs to the SIEM consistently. This creates a detection vacuum where attackers can operate undisturbed.
The Role of Identity Fatigue and MFA Drift
One of the recurring patterns I’ve seen across dozens of investigations is what I call “MFA drift”—the gradual erosion of multi-factor enforcement due to exceptions, temporary allowances, untracked administrator overrides, or incomplete rollout to contractors and service accounts. While organizations celebrate MFA adoption metrics, attackers look at MFA consistency.
Akira, in particular, has excelled at exploiting MFA drift. In several environments, the compromised VPN accounts belonged to employees whose MFA enrollment was pending or delayed. In others, MFA was technically available but not enforced at the policy level. This mismatch between intent and implementation provides the leverage attackers need. Once an adversary authenticates with a credential that appears valid and policy-compliant, most SOC detection rules become inert.
LockBit actors have also leveraged scenarios where VPN administrators disabled MFA to troubleshoot synchronization issues with identity providers. A single 15-minute MFA disable window became the entry point to a multi-million-dollar breach. That illustrates a truth every defender should internalize: attackers don’t need complex technical openings—they need operational ones.
Exploiting Logging Gaps and Monitoring Blind Spots
Edge devices remain one of the least monitored components in the enterprise environment. Even when logs are available, they often lack the granularity needed for effective detection. Some appliances can only log successful and failed authentications; others cannot export session-level telemetry without specialized modules or additional licensing. During investigations, this becomes a significant challenge. Without adequate logging, it becomes nearly impossible to reconstruct lateral movement patterns or validate whether an attacker interacted with internal resources through legitimate tunnels.
Akira operators have used these blind spots to maintain footholds for weeks. In one case, the only indication of persistence was an anomalous Active Directory password reset event tied to a VPN-authenticated session. LockBit affiliates, on the other hand, often establish secondary footholds quickly by deploying remote management tools or exploiting outdated Windows services. The VPN access becomes merely their beachhead; the real persistence lives deeper inside the network.
From a SOC perspective, these blind spots force analysts into a reactive mode. When VPN telemetry is incomplete, analysts must rely on downstream logs from endpoints and servers, which means detection only begins after the attacker has already breached the perimeter.
The Expanding Attack Surface of Hybrid Work
The shift toward hybrid and remote work has exacerbated the risk associated with VPN and edge appliances. Many organizations that rapidly deployed remote access infrastructure during crisis periods now struggle to maintain it at enterprise scale. Over time, that rapid expansion morphs into long-term technical debt.
Contractor accounts, third-party integrators, and legacy administrative paths often remain active longer than intended. As an incident responder, I have seen countless VPN appliances with hundreds of stale accounts—the equivalent of leaving unmonitored doors unlocked around the perimeter. Attackers know this and continually test authentication endpoints for credentials purchased or harvested through unrelated breaches.
LockBit affiliates, especially, operate credential-testing infrastructure to identify exposed VPN portals. Once a viable credential is found, exploitation becomes nearly instantaneous. This workflow transforms VPN appliances from secure gateways into enterprise-level entry points for ransomware.
Why Edge Appliances Remain Difficult to Patch
Few topics cause more friction between IT and security teams than patching perimeter infrastructure. Unlike workstations or servers, patching edge appliances requires downtime, coordination with network engineers, and sometimes revalidation of routing rules or authentication mechanisms. In global organizations with 24/7 operations, this downtime can be hard to schedule. As a result, many companies adopt a “defer until necessary” stance that attackers exploit relentlessly.
I’ve seen appliances running firmware that was three or four versions behind, not because teams were careless, but because patching required complex change-management workflows. Attackers, however, do not wait for maintenance windows. When a new vulnerability appears and proof-of-concept code becomes available, Akira and LockBit affiliates incorporate it almost immediately into their reconnaissance processes. The asymmetry is significant: defenders must schedule, test, and validate; attackers only need to detect a single unpatched system.
How Akira and LockBit Operate Post-Compromise
Once attackers secure access through a VPN or compromised edge appliance, their methods diverge slightly depending on the operator, but both Akira and LockBit follow mature, well-tested intrusion workflows. These workflows reflect an understanding of how enterprise monitoring works in practice, not in theory. Attackers know where visibility begins to taper off and where analysts are least likely to notice subtle deviations in normal activity.
Akira tends to favor minimal tooling early in an operation. They rely heavily on native OS utilities to enumerate shares, query Active Directory, and assess privilege escalation pathways. In one case I worked, the attackers spent nearly two days mapping the environment using little more than directory traversal, PowerShell remoting, and built-in Windows command-line tools. They avoided any binary execution that might trip EDR behavioral analytics. Only after identifying an underprotected file server did they deploy a lightweight credential-harvesting script—something simple enough to blend with normal administrative activity.
LockBit operators, by contrast, tend to accelerate rapidly. They deploy reconnaissance tools to inventory domain trusts, administrative groups, and reachable subnets. Their focus is precise: find the fastest path to privileged accounts, identify backup repositories, and locate endpoints with sensitive data. Even when LockBit affiliates use noisy tools, they often do so in windows where defenders are least prepared, such as after-hours periods or change-management cycles when admin activity is expected.
Across both groups, a common theme emerges: once attackers pass through the perimeter, every minute favors them. Defenders with poor telemetry or fragmented monitoring lose the opportunity to detect signs of lateral movement until it’s too late. And by the time ransomware execution begins, the operation is already effectively over.
Ransomware Deployment Still Depends on Human Judgment
A misconception in cybersecurity is that ransomware deployment is automated once initial access is established. In reality, human operators play an active role throughout Akira and LockBit intrusions. Attackers evaluate each target’s security posture and adjust their techniques dynamically. Automated deployment risks exposure. Controlled deployment reduces noise, improves success rates, and allows adversaries to adapt quickly when detection controls trigger.
During an Akira engagement last year, the attackers abandoned their initial path to domain admin after encountering unexpected monitoring tools. Rather than risking a failed escalation, they switched to a quieter approach that involved targeting departmental file servers with lower privileges. They still achieved substantial impact—not because of technical superiority, but because they understood operational risk.
LockBit affiliates exhibit similar discipline. They often pre-stage encryption modules on multiple systems before triggering them simultaneously. This increases the likelihood of overwhelming SOC response workflows. They also dump credentials and exfiltrate data before encryption begins, ensuring leverage even if containment is rapid.
Both groups treat ransomware not as a hammer but as the final act of a planned intrusion. Their methodical approach underscores why defenders must focus not only on stopping encryption but on disrupting the attack chain earlier, where detection probabilities are higher.
Building Effective Detection Around the Edge
The most consistent challenge I’ve observed in enterprise environments is the lack of unified visibility across VPN, edge appliances, and internal authentication systems. Many organizations assume EDR coverage is sufficient, but by the time endpoint sensors detect malicious behavior, the attacker has already bypassed the perimeter. Effective detection must begin at the boundary.
To counter Akira and LockBit, organizations need reliable telemetry at three levels:
1. Authentication Visibility at the VPN Layer
VPN logs should retain enough detail to distinguish anomalies such as:
- Logins from unfamiliar geographies
- Sudden access from dormant accounts
- Authentications without MFA where MFA is mandated
- Repeated logins at unusual hours
These indicators are rarely conclusive alone, but when correlated with identity provider logs, they become powerful early-warning signals.
2. Appliance-Level Integrity Monitoring
While many edge devices lack full forensic telemetry, defenders can still baseline:
- Configuration changes
- Firmware updates or downgrades
- Administrative logins outside change windows
- Unusual service restarts or tunnel creations
Attackers often pivot through appliance interfaces without triggering downstream alerts.
3. Correlation With Internal Lateral Movement
Once a perimeter breach occurs, defenders must detect unusual east–west activity quickly. High-value signals include:
- New administrative share access
- Kerberos ticket anomalies
- Unexpected PowerShell remoting
- Authentication failures followed by privileged access
In nearly every investigation I’ve been part of, early signs of compromise were visible in internal logs—but only in hindsight. Automated correlation is essential for detecting these patterns in real time.
Case-Study Observations From Recent Incidents
In incident response, patterns accumulate over time. While each environment is unique, Akira and LockBit operations leave behind identifiable markers that experienced responders learn to recognize.
Case Observation 1: The Stale Account Breach
An enterprise with a mature SOC experienced a breach through a contractor VPN account that had been inactive for 18 months. MFA enrollment was incomplete, and the account was never decommissioned. Attackers authenticated successfully on a Saturday morning, enumerated internal resources, and exfiltrated sensitive engineering data. Encryption never occurred; the intrusion ended with extortion. The root cause was not technology—it was identity lifecycle mismanagement.
Case Observation 2: The Delayed Patch Chain
A global organization postponed patching a widely known edge appliance vulnerability due to a pending network redesign. LockBit affiliates exploited the flaw shortly afterward, bypassing authentication entirely. The attackers obtained domain admin within hours and deployed ransomware across multiple business units. Their velocity reflected an understanding that exploitation would work immediately and that internal defenses were not prepared for the pace of escalation.
Case Observation 3: The Hidden Persistence Layer
In a highly segmented financial environment, Akira operators established persistence through a misconfigured remote desktop gateway after entering via the VPN. They avoided domain-wide escalation and instead focused on departmental systems with limited alerting. The attackers remained undetected for weeks, quietly siphoning data and credentials. The organization discovered the breach only when unusual outbound traffic patterns triggered a network monitoring alert.
These cases illustrate the operational interplay between identity oversight, appliance security, and internal monitoring. The technology stacks differ; the attacker mindset does not.
Architectural Strategies to Reduce Exposure
While no single measure can eliminate the threat of ransomware targeting VPN and edge appliances, organizations can dramatically reduce their exposure by reinforcing foundational controls. These recommendations are grounded in years of offensive and defensive work, where the most effective protections were rarely the most complex.
Rigorous Identity Hygiene
Every breach involving VPN misuse can be traced back to identity gaps. Organizations must:
- Enforce MFA universally, without exceptions
- Disable or delete dormant accounts aggressively
- Audit privileged identity access regularly
- Avoid shared credentials for administrative purposes
Identity sprawl creates unnecessary opportunities for attackers.
Hardening the Edge with Operational Discipline
Edge appliances require:
- Predictable patching cycles supported by leadership
- Continuous configuration baselining
- Strong segmentation to ensure appliances cannot directly access sensitive systems
- Restrictive firewall rules, limiting external access to only essential services
Up-to-date firmware and consistent configuration management disrupt many intrusion attempts before they begin.
Outcome-Focused Monitoring
Security teams should design monitoring not around tools, but around the outcomes they need to detect. The highest-value monitoring strategies include:
- Real-time correlation of VPN logins with identity provider signals
- Alerts for authentication bypass patterns
- Detection for dormant account activity
- Lateral movement indicators tied to privilege escalation attempts
This approach minimizes noise and emphasizes behaviors attackers cannot avoid.Rethinking Incident Response for Edge-Centric Intrusions
Traditional incident response playbooks often assume endpoint compromise or phishing as the entry point. VPN-driven intrusions require a different posture. When the perimeter itself is the breach vector, containment must begin with identity lockdown and appliance integrity checks.
In recent operations, the most successful response teams I worked with began by:
- Revoking all active VPN sessions
- Forcing global password resets for privileged accounts
- Reviewing all recent configuration changes on edge devices
- Conducting rapid log correlation between VPN and domain controllers
This immediate triage buys time for deeper forensic analysis. Responders then pivot to systems accessed through the VPN tunnel, treating them as potentially compromised regardless of their EDR status.
Edge-centric intrusions also demand business-level communication. Because attackers often move quietly and do not deploy ransomware immediately, leadership may underestimate the risk. The earlier security teams communicate potential blast radius, the faster organizations can mobilize containment resources.
The Future of Perimeter-Focused Ransomware Operations
Akira and LockBit are not anomalies—they represent a broader shift toward identity-driven and appliance-driven intrusions. As more organizations adopt cloud identity providers and consolidate perimeter functions into multifunction edge devices, attackers will continue to exploit any cracks in authentication and visibility.
Ransomware operators, despite their criminal intent, behave like adaptable adversaries in a competitive ecosystem. They refine their playbooks continuously, learn from failed attempts, and share tooling across affiliate networks. As long as VPN and edge appliances remain essential to business operations, they will remain high-value targets.
For defenders, the most effective long-term strategy is not to chase every new vulnerability but to build resilient systems where misconfigurations, monitoring gaps, and identity drift cannot accumulate unchecked. Security leaders must treat identity as the new perimeter and edge appliances as critical infrastructure, not routine equipment. When organizations align architecture, monitoring, and operational processes around this mindset, the effectiveness of ransomware campaigns diminishes significantly.
Explore Gurucul’s advanced security solutions including Next-Gen SIEM, AI SOC Analyst, UEBA, Data Pipeline Management, and Insider Risk Management to strengthen your cybersecurity operations.
