How a SonicWall Cloud Backup Flaw Enabled a Major Ransomware Attack on U.S. Banks
A single API misstep in SonicWall’s MySonicWall cloud backup service set off a chain reaction that rippled through the U.S. financial sector, culminating in a ransomware attack that disrupted operations at 74 banks and exposed the personal data of over 400,000 individuals. The breach, traced back to a February 2025 code change, allowed attackers to sidestep authentication simply by enumerating device serial numbers—a flaw that turned backup files into a treasure trove for cybercriminals (BleepingComputer, 2026; MLQ.ai, 2026).
What makes this incident especially alarming isn’t just the technical vulnerability, but the sensitive nature of the data exposed: encrypted credentials, firewall configurations, and even multi-factor authentication (MFA) scratch codes. Attackers, identified as state-sponsored, leveraged these backups to bypass Marquis’s security controls, ultimately deploying ransomware and exfiltrating sensitive customer data (The Cyber Express, 2026).
The fallout was swift and severe: delayed notifications, incomplete disclosures, and a wave of lawsuits. Marquis’s legal action against SonicWall highlights not only the technical failures but also the critical importance of transparency and rapid incident response in the age of cloud-based security (BleepingComputer, 2026).
How a Cloud Backup Glitch Opened the Door to Ransomware: The Technical Breakdown
The Vulnerability in SonicWall’s Cloud Backup API
In February 2025, SonicWall implemented a code change in the API of its MySonicWall cloud backup service. This change inadvertently introduced a critical security gap that allowed unauthorized access to firewall configuration backup files. Specifically, the API flaw permitted attackers to retrieve backup files by simply guessing or enumerating valid device serial numbers, bypassing authentication mechanisms that should have protected these sensitive assets (MLQ.ai, 2026; BleepingComputer, 2026).
The backup files stored in SonicWall’s cloud infrastructure contained highly sensitive data, including:
- AES-256 encrypted credentials
- Complete firewall configuration data
- Multi-factor authentication (MFA) scratch codes
- Emergency administrative access codes
This vulnerability was not immediately detected or disclosed. SonicWall initially estimated that only 5% of its customer base was affected, but later confirmed that all clients using the cloud backup service were impacted (BleepingComputer, 2026).
Table 1: Timeline of the Vulnerability
| Date | Event |
|---|---|
| Feb 2025 | API code change introduces vulnerability in MySonicWall cloud backup |
| Aug 14, 2025 | Attackers breach Marquis using compromised firewall configuration data |
| Sep 17, 2025 | SonicWall discloses breach, initially claims 5% of customers affected |
| Jan 2026 | Marquis publicly accuses SonicWall of cloud backup security failures |
| Feb 2026 | Marquis files lawsuit against SonicWall |
(BleepingComputer, 2026; MLQ.ai, 2026)
Exploitation Pathway: From Cloud Backup to Network Compromise
The attackers, identified by Mandiant as state-sponsored actors, exploited the API vulnerability to download firewall configuration backups from SonicWall’s cloud. These files, intended for disaster recovery and administrative convenience, became the blueprint for bypassing Marquis’s network defenses (BleepingComputer, 2026; The Cyber Express, 2026).
Key technical steps in the exploitation included:
- Enumeration of Valid Serial Numbers: Attackers systematically guessed or enumerated serial numbers associated with customer devices, exploiting the lack of robust authentication in the API.
- Download of Configuration Files: With valid serials, attackers downloaded encrypted backup files containing firewall configurations and authentication data.
- Extraction of MFA Scratch Codes and Credentials: The backup files included MFA scratch codes—emergency, one-time-use codes meant for administrative access. These codes, along with other credentials, enabled the attackers to bypass multi-factor authentication and gain privileged access to Marquis’s network.
- Deployment of Ransomware: Once inside, the attackers deployed ransomware, disrupting operations at 74 U.S. banks and exfiltrating sensitive customer data (BleepingComputer, 2026; Aetos.AI, 2026).
Table 2: Exploitation Sequence
| Step | Action | Outcome |
|---|---|---|
| 1 | Enumerate serial numbers | Identify valid devices for attack |
| 2 | Download backup files | Obtain configuration, credentials, and MFA codes |
| 3 | Extract credentials & scratch codes | Bypass MFA, gain administrative access |
| 4 | Deploy ransomware | Disrupt operations, steal sensitive data |
(The Cyber Express, 2026; MLQ.ai, 2026)
The Role of Configuration Data in Security Bypass
Firewall configuration backups are not just technical blueprints—they are operational keys. In this incident, the backup files contained:
- Network topology and firewall rules: Allowing attackers to map Marquis’s internal network and identify weak points.
- Encrypted and plain-text credentials: Some credentials, while encrypted, could be brute-forced or were stored in a reversible format.
- MFA scratch codes: These codes are intended for use when standard MFA is unavailable. Attackers used them to bypass MFA protections entirely (The Cyber Express, 2026).
By leveraging this data, attackers could simulate legitimate administrative actions, making detection and mitigation significantly more difficult. Marquis reported that, at the time of the breach, its firewall was fully patched, MFA was enabled, and additional security controls were in place—yet the attackers succeeded due to the exposure of these backup files (BleepingComputer, 2026).
Notification Delays and Incident Response Gaps
SonicWall’s response to the breach was marked by delays and incomplete disclosures. The company waited approximately three weeks after discovering the breach to notify affected customers, initially downplaying the scope by stating that only 5% of users were impacted. It was only after further investigation that SonicWall admitted the vulnerability affected all customers using the cloud backup service (BleepingComputer, 2026).
Marquis alleges that when it contacted SonicWall directly regarding the MFA bypass, the vendor withheld critical information and did not provide timely guidance or transparency. This lack of prompt communication and support is cited in Marquis’s lawsuit as a contributing factor to the scale of the damage suffered (BleepingComputer, 2026).
Table 3: Notification Timeline and Impact
| Event | SonicWall’s Action | Impact on Marquis and Clients |
|---|---|---|
| Breach discovery | Delay in notification (3 weeks) | Extended exposure, delayed mitigation |
| Initial disclosure | Claimed 5% affected | Underestimated scope, limited response |
| Full disclosure | All cloud backup users affected | Widespread incident response required |
| Post-breach support | Withheld information on MFA bypass | Hindered Marquis’s remediation efforts |
(BleepingComputer, 2026)
Impact Assessment: Data Exfiltration and Ransomware Spread
The technical failure in SonicWall’s cloud backup service directly facilitated a ransomware attack with far-reaching consequences. Attackers exfiltrated files containing:
- Names
- Addresses
- Phone numbers
- Social Security numbers
- Taxpayer Identification Numbers
- Financial account information
According to Texas Attorney General records, at least 400,000 individuals were affected by the breach (MLQ.ai, 2026). The ransomware attack disrupted operations at 74 U.S. banks and triggered more than 36 consumer class action lawsuits against Marquis (BleepingComputer, 2026).
Table 4: Scope of Impact
| Metric | Value |
|---|---|
| Individuals affected | 400,000+ |
| Financial institutions impacted | 74 |
| Marquis’s customers (total) | 700+ |
| Consumer class action lawsuits | 36+ |
(MLQ.ai, 2026; BleepingComputer, 2026)
Lessons on Cloud Backup Security Architecture
This incident underscores the critical importance of securing cloud backup services, particularly those holding configuration and authentication data for security devices. Key architectural lessons include:
- API Security: All API endpoints, especially those granting access to sensitive backups, must enforce strong authentication and authorization checks. Enumeration attacks should be mitigated by rate limiting and anomaly detection.
- Encryption and Key Management: While AES-256 encryption was used, the presence of MFA scratch codes and credentials in the backup files highlights the need for secure key management and the avoidance of storing emergency access codes in recoverable formats.
- Segregation of Duties: Backup systems should separate administrative access from user access, and backup files should be inaccessible without multi-layered authentication.
- Prompt Incident Disclosure: Timely and transparent communication with affected clients is essential to enable rapid mitigation and limit the spread of attacks.
Table 5: Recommended Security Controls
| Control Area | Best Practice Example |
|---|---|
| API Security | Strong auth, rate limiting, anomaly detection |
| Backup File Access | Multi-layered auth, encrypted storage, access logging |
| Credential Handling | Avoid storing emergency codes in recoverable backups |
| Incident Response | Immediate notification, detailed guidance to clients |
(MLQ.ai, 2026; BleepingComputer, 2026)
This report section provides a technical breakdown of how a cloud backup vulnerability in SonicWall’s MySonicWall service enabled a devastating ransomware attack on Marquis, focusing on the sequence of exploitation, the role of configuration data, notification delays, the scale of impact, and architectural lessons for cloud backup security.
Final Thoughts
The Marquis-SonicWall breach is a stark reminder that even the most robust security controls can be undone by a single overlooked vulnerability—especially when it comes to cloud backup systems holding the keys to the kingdom. This incident underscores the need for airtight API security, careful handling of backup data, and above all, transparent and timely communication with affected clients (MLQ.ai, 2026).
For organizations relying on cloud-based security solutions, the lessons are clear: enforce strong authentication, avoid storing emergency access codes in recoverable formats, and demand prompt, honest disclosures from vendors. As attackers grow more sophisticated and the stakes rise, the difference between a contained incident and a sector-wide crisis may hinge on these very practices (BleepingComputer, 2026; The Cyber Express, 2026).
References
- BleepingComputer. (2026). Marquis sues SonicWall over backup breach that led to ransomware attack. https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-backup-breach-that-led-to-ransomware-attack/
- MLQ.ai. (2026). Fintech firm Marquis files lawsuit against SonicWall alleging fault in ransomware attack. https://mlq.ai/news/fintech-firm-marquis-files-lawsuit-against-sonicwall-alleging-fault-in-ransomware-attack/
- The Cyber Express. (2026). Marquis sues SonicWall: Ransomware attack and cloud backup breach. https://thecyberexpress.com/marquis-sues-sonicwall-ransomware/
- BleepingComputer. (2026). Marquis blames ransomware breach on SonicWall cloud backup hack. https://www.bleepingcomputer.com/news/security/marquis-blames-ransomware-breach-on-sonicwall-cloud-backup-hack/
- Aetos.AI. (2026). Marquis ransomware breach post-mortem. https://aetos.ai/posts/a7d4c4b3c1c3f75f