The Winner, The Sinner & The Beginner: Zero Trust Lessons from Microsoft, Akira Ransomware, and the Rest of Us

THE WINNER | Microsoft’s 180,000-Employee Zero Trust Transformation Sets New Enterprise Standard

Microsoft’s Secure Future Initiative demonstrates how Zero Trust implementation works at massive scale. Through their real-world deployment across all Microsoft employees, they’ve eliminated broad access VPNs and implemented least privilege access across their entire infrastructure.

Their Zero Trust implementation targeted the core set of applications that Microsoft employees use daily (Microsoft 365 apps, line-of-business apps) on platforms like iOS, Android, MacOS, Linux, and Windows, expanding to include all applications used across Microsoft.

The transformation wasn’t just technical-it was cultural. Microsoft learned that tools alone don’t stick-people do. The Secure Future Initiative’s emphasis on culture, clear security objectives, ongoing training, and individual performance goals creates accountability.

They moved from physical smart cards to phone-based authentication, and finally to modern experiences using the Microsoft Authenticator application. Any corporate-owned or personal device that accesses company resources must be managed through their device management systems.

The results speak for themselves: Microsoft has deployed automated operating system upgrades to 86% of their first-party Virtual Machine Scale Sets (VMSS)-based services, resulting in more than 91 million upgrades in 2024.

Their approach validates controls with attack simulations, maps and limits lateral paths through environment trust relationships, and ensures every device, virtual machine, and service is inventoried and sending telemetry.

What makes Microsoft’s approach particularly compelling is their focus on practical implementation. They developed six pillars and 28 objectives to help focus on what truly matters, analyzing top risks and grouping them into measurable objectives that give teams clear roadmaps and help prioritize efforts that move the needle. This isn’t theoretical-it’s operational Zero Trust at enterprise scale

THE SINNER | Akira Ransomware Exploits SonicWall SSL VPNs, Hits 28+ Organizations in Coordinated August 2025 Campaign

Akira ransomware operators exploit SonicWall SSL VPN vulnerabilities in coordinated campaign targeting over 28 organizations since July 25, 2025. Arctic Wolf researchers revealed that multiple pre-ransomware intrusions occurred within a short period of time, each involving VPN access through SonicWall SSL VPNs targeting Gen 7 firewalls. The attackers demonstrated sophisticated post-exploitation techniques, moving laterally to domain controllers within hours of initial breach.

The technical methodology reveals the devastating effectiveness of SonicWall SSL VPN ransomware attacks. The sinners leveraged CVE-2024-40766, a critical improper access control vulnerability with a CVSS score of 9.3, originally disclosed by SonicWall in August 2024.
Despite many organizations believing their devices were fully patched, the Akira ransomware SonicWall campaign exploited environments where local user passwords weren’t reset during Gen 7 firewall migration from Gen 6 to SonicWall Gen 7 systems-a crucial recommended action that many organizations overlooked.

Once inside the network via compromised SSL VPN access, the Akira operators executed a well-worn post-exploitation path: network enumeration, detection evasion through techniques to disable Microsoft Defender Antivirus, lateral movement to critical systems, and systematic credential theft. They employed Bring Your Own Vulnerable Driver (BYOVD) techniques, leveraging legitimate Windows drivers like rwdrv.sys (from the ThrottleStop driver utility) and hlpdrv.sys to gain kernel-level access and disarm antivirus solutions at the system level.

The attack chain’s precision demonstrates why SSL VPNs remain attractive targets. The sinners methodically worked to delete Volume Shadow Copies (VSS) before deploying ransomware, ensuring victims couldn’t recover encrypted files from system backups. Huntress researchers noted the speed and success of these attacks, even against environments with multi-factor authentication enabled, strongly suggesting exploitation of previously unknown vulnerabilities combined with weak credential management practices.

What makes this campaign particularly insidious is how it exploited the fundamental trust model of SSL VPN infrastructure. Organizations assumed their “fully patched” devices were secure, but overlooked the critical post-patch remediation steps required after SonicWall Gen 7 deployment. The attackers understood that SSL VPN compromise provides immediate trusted network access, eliminating the need for complex lateral movement techniques that Zero Trust architectures would detect and contain.

The financial impact speaks to the campaign’s effectiveness: Akira ransomware actors are estimated to have extorted approximately $42 million in illicit proceeds after targeting more than 250 victims since emerging in March 2023. Check Point statistics show Akira was the second most active ransomware group in Q2 2025, claiming 143 victims during that period alone. The SonicWall SSL VPN ransomware campaign represents a significant escalation in their operational tempo and technical sophistication.

THE BEGINNER | Organizations Struggle with Zero Trust Implementation Despite Understanding Strategic Necessity

Organizations struggling with the complexity of Zero Trust implementation often find themselves caught between understanding the need and executing the strategy. Customers have consistently told Microsoft that they see Zero Trust as a strategic foundation for how they approach and run a modern security practice. However, customers have also shared that they need help and guidance understanding how their security products could help them achieve a Zero Trust vision, and how they can measure how far along they are on their journey.

The beginner’s challenge isn’t lack of awareness-it’s translating Zero Trust principles into practical, measurable implementation steps. Many organizations recognize that their current VPN-based remote access provides too much network-level access for users who only need specific applications. They understand conceptually that instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network, but struggle with where to start.

Recent attacks like the Akira ransomware campaign against SonicWall SSL VPNs serve as stark reminders of why traditional perimeter security fails. Organizations that experienced these attacks often discover they lack visibility into post-exploitation activities like attempts to disable Microsoft Defender Antivirus or delete Volume Shadow Copies, highlighting the need for comprehensive endpoint detection and response capabilities within a Zero Trust framework.

Microsoft expanded their Zero Trust workshop from three Zero Trust pillars to cover a total of six pillars, adding networking (implementing micro-segmentation, real-time threat detection, and secure access to network resources), infrastructure (securing cloud and on-premises infrastructure through robust configurations, access management, and continuous monitoring), and SecOps (strengthening threat detection and response capabilities).

The beginner’s realization often comes through specific scenarios that expose their current vulnerabilities. They discover that their remote workers have the same network access regardless of device security posture, location, or time of access. They learn that their “encrypted at rest” data protection doesn’t address compromised credentials with legitimate access. They realize that their network monitoring can detect threats but can’t dynamically respond to sophisticated techniques like BYOVD attacks using drivers such as rwdrv.sys or hlpdrv.sys.

What distinguishes successful beginners from those who remain stuck is their approach to implementation. Based on priorities, successful organizations develop measurable objectives and clear roadmaps, focusing efforts on what truly matters rather than trying to implement everything simultaneously.

They understand that Zero Trust isn’t a product to purchase but a strategic approach that requires cultural change, ongoing training, and embedded security accountability across every role.

The beginner’s journey often starts with identity and device management-ensuring that every access request is authenticated and that every device accessing corporate resources is managed and monitored. From there, they progress to application-level access controls, network microsegmentation, and finally to advanced behavioral analytics and automated response capabilities that can detect and prevent the kind of sophisticated attacks demonstrated by the Akira ransomware SonicWall campaign.