Imminent Ransomware is Attack Unpatched SonicWall Devices

Recently, SonicWall one of the biggest networking company has claimed that they have encountered an imminent ransomware campaign that is continuously targeting their devices.

Soon after knowing about the ransomware, SonicWall immediately warned its customers regarding the ransomware and pronounced that this imminent ransomware is attacking the products that have already been stopped.


According to the report, the company has declared that they are not yet cleared that which specified vulnerability is being targeted by the cybercriminal, but it was clear that the threat actors are targeting a particular vulnerability that has been fixed in the most advanced firmware versions.


However, after detecting the ransomware, SonicWall has suggested some resolutions that are to be followed by the customer, and all these resolutions were made on the basis of the equipment that is being used by the customer.

SRA 4600/1600  (Discontinued in 2019)

  • Disable immediately.
  • Reset passwords.

SRA 4200/1200  (discontinued 2016)

  • Disable immediately.
  • Reset passwords.

SSL-VPN 200/2000/400  (Discontinued 2013, 2014)

  • Disable immediately.
  • Reset passwords.

SMA 400/200 (Still supported in limited decommissioning mode)

  • Upgrade immediately to or
  • Reset passwords.
  • Enable multi-factor authentication.


As we said above that this imminent ransomware is strongly impacting SonicWall, therefore each and every customer was suggested to update all their impacted devices as soon as possible.

However, after detecting the ransomware, SonicWall has immediately and frequently communicated with the organization those who got affected by this ransomware for mitigation steps and updated guidance.

It has been asserted that all those organizations that decline to take suitable and needed steps to stop this attack and to mitigate these vulnerabilities on their SRA and SMA 100 series outcomes are at immediate danger of a targeted ransomware attack.


According to the company, 8.x firmware are past temporary mitigations for this ransomware, in case if the organization continues to use this firmware then their device will be at an active security risk.

However, the end-of-life devices cannot upgrade to 9.x or 10.x firmware, that’s why the company has provided a complimentary virtual SMA 500v until October 31, 2021. Using this complementary mitigation will surely provide extra time to the organizations so that they can get full-proof mitigation to bypass this attack.

The temporary SMA 500v will be pre-registered for clients with 8.X firmware, and this SMA 500v will be presented in the account under the name “SMA_SRA8X_Migration_500v.”

Moreover, the SMA500v will do not have any kind of phone support, and for these reasons, the organization has may have to seek the SonicWall communities SMA thread.

While apart from this, upgrading to the newest firmware or simply stop using the EOL appliances as soon as possible is the best possible way to mitigate, as the CISA itself has recommended all the users.

For further security, they have advised all the users and administrators to follow the best security practices.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.