Firewall Lockouts: Play Ransomware and SonicWall Exploits

On a recent set of incident responses, the Halcyon Services team was engaged following indications of potential ransomware deployment. In each case, the victims were completely locked out of their own firewalls.  

The Play ransomware group had seized control of the devices, cutting administrators off from management consoles and rendering even emergency breakglass accounts useless. The impacted organizations relied heavily on remote workforces, which magnified the disruption when connectivity was lost.

The attacks primarily targeted SonicWall firewalls, a product line that has faced intense scrutiny over the past year. Researchers have debated whether these compromises reflect the exploitation of previously disclosed vulnerabilities or the presence of a new zero-day.  

Reports in August 2025 documented Akira ransomware operators exploiting SonicWall SSL VPN appliances, even those running the latest Gen-7 firmware, which raised alarms that a novel zero-day was being abused in the wild.  

SonicWall responded by denying that a new zero-day was involved, attributing many of the breaches to poor hygiene during migrations from Gen-6 to Gen-7 devices when administrators failed to reset local accounts. Security vendors such as Huntress and Arctic Wolf argued that evidence of exploitation against fully patched systems still pointed to a possible zero-day.

These conflicting narratives underscore a critical point: opportunistic ransomware crews like Play, Akira, and Qilin are probing every Internet-facing firewall for exploitable conditions. Play, which has been active since mid-2022, has been tied to hundreds of intrusions worldwide and was the subject of a joint advisory from the FBI, CISA, and ACSC in 2025 documenting its TTPs and victimology.  

Qilin (aka Agenda), operates as a Ransomware-as-a-Service (RaaS) and has steadily grown in prominence with affiliates launching attacks across Windows, Linux, and ESXi environments. Akira remains one of the most aggressive ransomware groups in 2025, with hundreds of claimed victims and an established track record of targeting VPN and remote access infrastructure.

The most remarkable detail from these recent cases was that it ultimately took isolating the internet connection at the Internet Service Provider (ISP) level to stop the unauthorized connectivity. Internal remediation attempts were futile because the attackers maintained full control of the firewall. Only when the ISP disconnected service was the foothold broken.  

Once technicians arrived on site, they confirmed that no accounts were functional, not even emergency administrator logins. The only option left was to capture a dead disk image of the firewall in hopes of recovering forensic evidence and then perform a hard factory reset with a paperclip.

Yes, a paperclip. It may sound trivial, but in these incidents the ability to reset hardware with a simple tool became the decisive step in restoring control. The recovery playbook depended on improvisation: restoring from an old configuration file that had survived in a ticket with the OEM vendor rather than a properly archived offsite backup, re-establishing trusted connections, enabling logging, and re-locking the firewall through the OEM. Only then could normal operations resume.

Mitigation Guidance

• Update SonicWall devices: Apply firmware version 7.3.0 to gain stronger multi-factor authentication (MFA) controls and improved brute-force protection. [M1051]

• Reset all local credentials: After any firewall upgrade or migration, reset every local account password to ensure old or compromised credentials are not reused. [M1027]

• Clear sessions and centralize logging: Clear all active sessions on the firewall and configure logs to forward to an external syslog server. Pairing SonicWall with Network Security Manager further strengthens centralized monitoring and log retention. [M1047]

• Enforce stricter access controls: Require MFA, remove inactive accounts, restrict SSL VPN access to trusted IP addresses, and turn on built-in SonicWall protections like botnet filtering and geo-blocking. [M1030, M1032]

• Plan for worst-case recovery:

• Be ready to request ISP-level network isolation to stop active intrusions. [M1030,]

• Keep a simple tool like a paperclip in your IR kit to factory reset firewalls when all credentials are burned. [M1018]

• Ensure backup configurations are stored in multiple places, including OEM support channels, not just internal archives. [M1053]

Takeaway

The lesson is not just about SonicWall vulnerabilities or ransomware tradecraft. It is about the practical realities of incident response. Organizations need to prepare for situations where breakglass accounts are useless, credentials are burned, and the only way forward is physical intervention at the device level. The need for ISP-level isolation and hardware resets illustrates that ransomware defense must extend beyond software patching and monitoring.  

For incident responders, the broader takeaway is to maintain contingency plans for ISP-level cutoffs, ensure alternative access to configuration backups, and remember that even the humblest office supply like a paperclip may be essential to recovering from a catastrophic intrusion.

The Halcyon Ransomware Research Center (RRC) is dedicated to uniting experts, defenders, and policymakers to advance understanding of the ransomware threat landscape. The RRC fosters collaborative intelligence sharing, drives informed public policy, and delivers timely research to strengthen collective defense against ransomware and data extortion. Explore the latest RRC reports, analysis, and resources here.