Overview
- SonicWall says attackers brute‑forced individual MySonicWall accounts to access backup preference files rather than deploying ransomware.
- Less than 5% of the firewall install base had cloud‑stored configurations accessed, with passwords encrypted but serial numbers and network details exposed.
- The company disabled the backup feature, rotated internal keys, and brought in a third‑party incident response firm while notifying law enforcement.
- Impacted customers are receiving new preference files that randomize local passwords, reset TOTP bindings, and regenerate IPsec VPN keys, with guidance for containment and log review.
- SonicWall reports no evidence of leaks or weaponization to date, as the incident follows months of activity targeting SonicWall devices including Akira ransomware operations.