How a SonicWall Cloud Backup Flaw Enabled a Major Ransomware Attack on U.S. Banks

How a SonicWall Cloud Backup Flaw Enabled a Major Ransomware Attack on U.S. Banks

Alex Cipher's Profile Pictire Alex Cipher 7 min read

A single API misstep in SonicWall’s MySonicWall cloud backup service set off a chain reaction that rippled through the U.S. financial sector, culminating in a ransomware attack that disrupted operations at 74 banks and exposed the personal data of over 400,000 individuals. The breach, traced back to a February 2025 code change, allowed attackers to sidestep authentication simply by enumerating device serial numbers—a flaw that turned backup files into a treasure trove for cybercriminals (BleepingComputer, 2026; MLQ.ai, 2026).

What makes this incident especially alarming isn’t just the technical vulnerability, but the sensitive nature of the data exposed: encrypted credentials, firewall configurations, and even multi-factor authentication (MFA) scratch codes. Attackers, identified as state-sponsored, leveraged these backups to bypass Marquis’s security controls, ultimately deploying ransomware and exfiltrating sensitive customer data (The Cyber Express, 2026).

The fallout was swift and severe: delayed notifications, incomplete disclosures, and a wave of lawsuits. Marquis’s legal action against SonicWall highlights not only the technical failures but also the critical importance of transparency and rapid incident response in the age of cloud-based security (BleepingComputer, 2026).

How a Cloud Backup Glitch Opened the Door to Ransomware: The Technical Breakdown

The Vulnerability in SonicWall’s Cloud Backup API

In February 2025, SonicWall implemented a code change in the API of its MySonicWall cloud backup service. This change inadvertently introduced a critical security gap that allowed unauthorized access to firewall configuration backup files. Specifically, the API flaw permitted attackers to retrieve backup files by simply guessing or enumerating valid device serial numbers, bypassing authentication mechanisms that should have protected these sensitive assets (MLQ.ai, 2026; BleepingComputer, 2026).

The backup files stored in SonicWall’s cloud infrastructure contained highly sensitive data, including:

  • AES-256 encrypted credentials
  • Complete firewall configuration data
  • Multi-factor authentication (MFA) scratch codes
  • Emergency administrative access codes

This vulnerability was not immediately detected or disclosed. SonicWall initially estimated that only 5% of its customer base was affected, but later confirmed that all clients using the cloud backup service were impacted (BleepingComputer, 2026).

Table 1: Timeline of the Vulnerability

DateEvent
Feb 2025API code change introduces vulnerability in MySonicWall cloud backup
Aug 14, 2025Attackers breach Marquis using compromised firewall configuration data
Sep 17, 2025SonicWall discloses breach, initially claims 5% of customers affected
Jan 2026Marquis publicly accuses SonicWall of cloud backup security failures
Feb 2026Marquis files lawsuit against SonicWall

(BleepingComputer, 2026; MLQ.ai, 2026)

Exploitation Pathway: From Cloud Backup to Network Compromise

The attackers, identified by Mandiant as state-sponsored actors, exploited the API vulnerability to download firewall configuration backups from SonicWall’s cloud. These files, intended for disaster recovery and administrative convenience, became the blueprint for bypassing Marquis’s network defenses (BleepingComputer, 2026; The Cyber Express, 2026).

Key technical steps in the exploitation included:

  1. Enumeration of Valid Serial Numbers: Attackers systematically guessed or enumerated serial numbers associated with customer devices, exploiting the lack of robust authentication in the API.
  2. Download of Configuration Files: With valid serials, attackers downloaded encrypted backup files containing firewall configurations and authentication data.
  3. Extraction of MFA Scratch Codes and Credentials: The backup files included MFA scratch codes—emergency, one-time-use codes meant for administrative access. These codes, along with other credentials, enabled the attackers to bypass multi-factor authentication and gain privileged access to Marquis’s network.
  4. Deployment of Ransomware: Once inside, the attackers deployed ransomware, disrupting operations at 74 U.S. banks and exfiltrating sensitive customer data (BleepingComputer, 2026; Aetos.AI, 2026).

Table 2: Exploitation Sequence

StepActionOutcome
1Enumerate serial numbersIdentify valid devices for attack
2Download backup filesObtain configuration, credentials, and MFA codes
3Extract credentials & scratch codesBypass MFA, gain administrative access
4Deploy ransomwareDisrupt operations, steal sensitive data

(The Cyber Express, 2026; MLQ.ai, 2026)

The Role of Configuration Data in Security Bypass

Firewall configuration backups are not just technical blueprints—they are operational keys. In this incident, the backup files contained:

  • Network topology and firewall rules: Allowing attackers to map Marquis’s internal network and identify weak points.
  • Encrypted and plain-text credentials: Some credentials, while encrypted, could be brute-forced or were stored in a reversible format.
  • MFA scratch codes: These codes are intended for use when standard MFA is unavailable. Attackers used them to bypass MFA protections entirely (The Cyber Express, 2026).

By leveraging this data, attackers could simulate legitimate administrative actions, making detection and mitigation significantly more difficult. Marquis reported that, at the time of the breach, its firewall was fully patched, MFA was enabled, and additional security controls were in place—yet the attackers succeeded due to the exposure of these backup files (BleepingComputer, 2026).

Notification Delays and Incident Response Gaps

SonicWall’s response to the breach was marked by delays and incomplete disclosures. The company waited approximately three weeks after discovering the breach to notify affected customers, initially downplaying the scope by stating that only 5% of users were impacted. It was only after further investigation that SonicWall admitted the vulnerability affected all customers using the cloud backup service (BleepingComputer, 2026).

Marquis alleges that when it contacted SonicWall directly regarding the MFA bypass, the vendor withheld critical information and did not provide timely guidance or transparency. This lack of prompt communication and support is cited in Marquis’s lawsuit as a contributing factor to the scale of the damage suffered (BleepingComputer, 2026).

Table 3: Notification Timeline and Impact

EventSonicWall’s ActionImpact on Marquis and Clients
Breach discoveryDelay in notification (3 weeks)Extended exposure, delayed mitigation
Initial disclosureClaimed 5% affectedUnderestimated scope, limited response
Full disclosureAll cloud backup users affectedWidespread incident response required
Post-breach supportWithheld information on MFA bypassHindered Marquis’s remediation efforts

(BleepingComputer, 2026)

Impact Assessment: Data Exfiltration and Ransomware Spread

The technical failure in SonicWall’s cloud backup service directly facilitated a ransomware attack with far-reaching consequences. Attackers exfiltrated files containing:

  • Names
  • Addresses
  • Phone numbers
  • Social Security numbers
  • Taxpayer Identification Numbers
  • Financial account information

According to Texas Attorney General records, at least 400,000 individuals were affected by the breach (MLQ.ai, 2026). The ransomware attack disrupted operations at 74 U.S. banks and triggered more than 36 consumer class action lawsuits against Marquis (BleepingComputer, 2026).

Table 4: Scope of Impact

MetricValue
Individuals affected400,000+
Financial institutions impacted74
Marquis’s customers (total)700+
Consumer class action lawsuits36+

(MLQ.ai, 2026; BleepingComputer, 2026)

Lessons on Cloud Backup Security Architecture

This incident underscores the critical importance of securing cloud backup services, particularly those holding configuration and authentication data for security devices. Key architectural lessons include:

  • API Security: All API endpoints, especially those granting access to sensitive backups, must enforce strong authentication and authorization checks. Enumeration attacks should be mitigated by rate limiting and anomaly detection.
  • Encryption and Key Management: While AES-256 encryption was used, the presence of MFA scratch codes and credentials in the backup files highlights the need for secure key management and the avoidance of storing emergency access codes in recoverable formats.
  • Segregation of Duties: Backup systems should separate administrative access from user access, and backup files should be inaccessible without multi-layered authentication.
  • Prompt Incident Disclosure: Timely and transparent communication with affected clients is essential to enable rapid mitigation and limit the spread of attacks.

Table 5: Recommended Security Controls

Control AreaBest Practice Example
API SecurityStrong auth, rate limiting, anomaly detection
Backup File AccessMulti-layered auth, encrypted storage, access logging
Credential HandlingAvoid storing emergency codes in recoverable backups
Incident ResponseImmediate notification, detailed guidance to clients

(MLQ.ai, 2026; BleepingComputer, 2026)


This report section provides a technical breakdown of how a cloud backup vulnerability in SonicWall’s MySonicWall service enabled a devastating ransomware attack on Marquis, focusing on the sequence of exploitation, the role of configuration data, notification delays, the scale of impact, and architectural lessons for cloud backup security.

Final Thoughts

The Marquis-SonicWall breach is a stark reminder that even the most robust security controls can be undone by a single overlooked vulnerability—especially when it comes to cloud backup systems holding the keys to the kingdom. This incident underscores the need for airtight API security, careful handling of backup data, and above all, transparent and timely communication with affected clients (MLQ.ai, 2026).

For organizations relying on cloud-based security solutions, the lessons are clear: enforce strong authentication, avoid storing emergency access codes in recoverable formats, and demand prompt, honest disclosures from vendors. As attackers grow more sophisticated and the stakes rise, the difference between a contained incident and a sector-wide crisis may hinge on these very practices (BleepingComputer, 2026; The Cyber Express, 2026).

References