These are not large companies. They are exactly the size of company NexusTek serves every day. The attackers chose them on purpose. Akira is the second-largest ransomware group operating right now. They have collected over $244 million from businesses like yours. They prefer small and medium businesses because the defenses are thinner and the payouts come faster.
The FBI and CISA put out a joint advisory naming Akira as a top-five threat. They named the door, VPN accounts protected only by passwords, and unpatched firewalls. Specifically, SonicWall firewalls. This week, SonicWall released an emergency advisory for Gen 6, Gen 7, and Gen 8 firewalls. That is essentially every SonicWall currently in the field.
If your business runs a SonicWall firewall and your IT person hasn't confirmed the new firmware is installed this week, your front door is the door Akira walks through.
Three questions. Send them in an email. Ask for a written answer, not a verbal one.
Is our firewall fully patched as of this week? If the answer is "I'll check," that is the right answer. If the answer is "we're fine" without a check, that is not.
What kind of multi-factor authentication do we have on remote access, and has anyone evaluated whether it's phishing-resistant? This is the question we have to be specific about. There is a difference between traditional multi-factor authentication like text messages, push notifications, authenticator-app codes, and phishing-resistant multi-factor authentication, which uses hardware security keys or passkeys built into the device. The distinction matters because attackers have learned to bypass traditional MFA. They run a fake login page that sits between you and the real one, capture your credentials and your MFA code in real time, and steal the session that gets created after you log in. The user does everything right and still gets compromised. We have seen this happen to businesses that thought they were protected. Phishing-resistant MFA like the FIDO2 standard, hardware keys like YubiKeys, passkeys on phones and laptops, is the only category that actually stops this attack. If your IT person says "we have MFA" without specifying which kind, that is the conversation to have this week.
If we got hit tomorrow, when did we last test that we can actually restore from a backup? Almost every business has backups. Few have tested them. Akira specifically deletes backups before encrypting, so the backup you didn't test is the backup you don't have.
A dental office gets a ransom note Monday morning. The patient management system is locked. Appointments cannot be scheduled, X-rays cannot be opened, billing cannot run. The attacker wants $300,000 in cryptocurrency or the patient records, like names, addresses, dates of birth, insurance details, treatment notes, will get published.
The decision in front of the owner: pay and hope, or refuse and rebuild. Either path costs weeks. Either path triggers HIPAA notification to every patient. The reputational hit in a community where the practice runs on word-of-mouth is the cost that doesn't show up on any invoice.
A school supplier gets hit the same way. Now the K-12 districts that buy from them are wondering what data the attacker has. The supplier's customers, the schools, are required to investigate before they can keep buying. Sales freeze for a quarter while lawyers and IT consultants sort it out.
These are not hypothetical. They happened this month.
Beyond ransomware:
This week, NexusTek achieved Final CMMC Level 2 certification, verified by an independent C3PAO against all 110 controls of NIST SP 800-171 Rev 2. Tens of thousands of DoD contractors need Level 2 to keep bidding, and only a small fraction are audit-ready. Self-attestation under DFARS 7012 has been replaced by real regulatory, legal, and contract risk. If you are a prime worried about your subs, or a sub worried about your own readiness, the path is the same one we just walked: gap assessment, SSP, POA&M, remediation, audit. We do not have to ask you to take our word for it. We just did it ourselves.
If our business stopped operating normally for two weeks because of a cyberattack, which work would hurt the most?
That is the work you can least afford to discover is under attack. Watch that one first. Make sure your IT person knows it is the one.
NexusTek monitors these threats so our customers do not have to. If you have a question about whether something in this brief affects your specific environment, ask your account team. If you don't have an account team — for SMB managed services, for CMMC readiness, for the conversations this brief surfaces — this is the kind of work we do every day for businesses your size.
— NexusTek Security