Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

Today’s SMB cyber brief: VPN access (SonicWall) and stolen logins feeding ransomware

What small and medium-sized businesses should look out for today.

High Thursday 21 May 2026, 18:20 UK time
Today’s look-out: Remote access takeover and follow-on ransomware disruption

What to look out for today

1) Remote access/VPN compromise leading to ransomware. Reporting highlights attackers targeting SonicWall Gen6 SSL-VPNs, using brute-forced credentials and an MFA bypass scenario where patching was incomplete, then deploying tools commonly associated with ransomware intrusions.

2) Stolen account credentials being reused. A law-enforcement case underscores how infostealer activity can result in large volumes of stolen accounts that later get reused for email, SaaS and remote access logins.

Why this matters to smaller businesses

  • VPN and remote access are “front doors”. If your VPN is compromised, attackers can often reach file servers, finance systems, shared drives and backups.
  • Ransomware is usually a chain of small failures. Password reuse, weak monitoring, and gaps in MFA/patching can combine into a major outage.
  • Infostealer fallout hits SMEs hard. Even if the original malware infection was on a single laptop, the stolen browser passwords and session tokens can enable later account takeover.

Warning signs

  • Unexpected VPN login prompts, lockouts, or repeated MFA requests reported by staff.
  • VPN logins at unusual times, from unusual locations, or for dormant/leaver accounts.
  • Sudden creation of new admin users, new remote access accounts, or changes to security settings.
  • Unexplained endpoint security alerts, new “remote support” tools appearing, or disabled security controls.
  • Users reporting their email or Microsoft 365/Google account “signed out everywhere” or password reset messages they didn’t initiate.

How attackers may exploit the situation

  • Password guessing / credential stuffing against VPN accounts, especially where passwords are reused.
  • MFA bypass opportunities where devices are not fully patched or where MFA is misapplied (e.g., not enforced for all users, service accounts, or certain login paths).
  • Use of stolen credentials from infostealers to log into email/SaaS, then pivot into finance workflows (invoice fraud) or into IT admin panels (for wider disruption).
  • Ransomware playbook: gain access → expand permissions → disable/evade security → exfiltrate data → encrypt systems.

What to do today

  • Confirm who owns VPN security checks today (internal IT or MSP) and ensure there is active monitoring for repeated failed logins and unusual geo/time access.
  • Review VPN accounts: remove leavers, disable unused accounts, and ensure admin access is tightly limited.
  • Reset passwords where risk is suspected (especially any accounts reused across services). Prioritise VPN, email and admin accounts.
  • Harden MFA usage: ensure MFA is enforced for all VPN users and administrators, with clear exception handling and documentation.
  • Rehearse your “ransomware first hour” steps: who to call, how to isolate devices, and how to keep trading (phones, email, payments).

Ask your IT provider

  • Are we using SonicWall SSL-VPN (Gen6), and if so have we verified patching is complete and consistent across the estate?
  • Do we have alerting for brute-force attempts and automatic blocking/lockout tuned to avoid easy abuse?
  • Is MFA enforced for every VPN user (including admins) and are there any exceptions or alternate login paths?
  • What logs are retained for VPN access, and for how long? Who reviews them and how quickly?
  • If a VPN account is suspected compromised, what is the exact containment runbook (disable account, isolate device, revoke sessions, check for persistence)?

Patch watch - only one short paragraph, and only if relevant

If you rely on SonicWall SSL-VPN, today’s reporting is a reminder to verify that security updates are not just “applied” but complete and consistent across devices and configurations; partial or delayed rollouts can leave gaps attackers can exploit.

One action today

Ask your IT provider today for a written confirmation of VPN MFA enforcement and a check of the last 7 days of VPN login attempts for brute-force patterns and unusual access.

Related Actions On Cyber resource

Actions On Cyber: Ransomware readiness checklist (first hour actions + backup and access controls)

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.