Overview

• SonicWall says attackers brute‑forced individual MySonicWall accounts to access backup preference files rather than deploying ransomware.
• Less than 5% of the firewall install base had cloud‑stored configurations accessed, with passwords encrypted but serial numbers and network details exposed.
• The company disabled the backup feature, rotated internal keys, and brought in a third‑party incident response firm while notifying law enforcement.
• Impacted customers are receiving new preference files that randomize local passwords, reset TOTP bindings, and regenerate IPsec VPN keys, with guidance for containment and log review.
• SonicWall reports no evidence of leaks or weaponization to date, as the incident follows months of activity targeting SonicWall devices including Akira ransomware operations.