Marquis Software Solutions, a financial software and analytics provider serving over 700 banks and credit unions, disclosed a ransomware attack on August 14, 2025, after attackers breached its network via a SonicWall firewall and stole files containing customer PII and financial data mapped to T1190, T1078, and T1041. Notifications to US state Attorneys General indicate over 400,000 individuals were affected across at least 74 banks and credit unions, with exposed data including names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, partial financial account details, and dates of birth. A now-removed filing suggests Marquis paid a ransom to prevent data leaking, though the company officially reports no evidence of misuse or publication so far. The attack appears to align with tactics used by the Akira ransomware group, which has been exploiting SonicWall SSL VPN devices via CVE-2024-40766 and stale credentials stolen before patching. Even after SonicWall addressed the vulnerability, many organizations reportedly failed to fully reset VPN credentials, allowing attackers to keep logging in—with some reports indicating access even when MFA is enabled. Once inside, attackers conduct reconnaissance, escalate privileges in Active Directory, exfiltrate data, and only then deploy ransomware, maximizing extortion pressure. Business impact extends beyond Marquis to its banking and credit union customers, who must now manage regulatory notifications, customer communications, and potential fraud monitoring for hundreds of thousands of affected account holders. The incident highlights supply-chain risk where third-party analytics and marketing providers maintain large volumes of sensitive financial data and can become high-value ransomware targets. Mitigation requires aggressive hardening of VPN and firewall access, including full credential resets after patching exploited devices, enforcement of MFA on all remote access, and enhanced logging and geo-IP filtering. Financial institutions should reevaluate due diligence on third-party processors, ensuring they maintain strong patch, identity, and backup practices and are obligated to notify and cooperate rapidly during ransomware events.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: The Marquis breach illustrates how a single ransomware hit on a data analytics provider can cascade into privacy incidents for dozens of banks and credit unions, with more than 400,000 customers impacted. Affected institutions face regulatory reporting, customer notification costs, potential class-action litigation, and longer-term trust erosion if fraud or identity theft emerges down the line. Technical Context: Attackers likely leveraged SonicWall SSL VPN exploitation and stolen credentials mapped to T1190 and T1078 to gain persistent access, then exfiltrated large volumes of financial and identity data mapped to T1041 before deploying ransomware. Marquis’ subsequent controls—patching firewalls, resetting accounts, enforcing MFA, lockout policies, geo-IP filtering, and C2 blocking—reflect best practices that many organizations still only implement after a breach.
⚡Strategic Intelligence Guidance
- Audit all SonicWall and other VPN appliances for CVE exposure, apply latest patches, and reset credentials and MFA seeds for all accounts that previously authenticated through vulnerable devices.
- Enforce strict MFA, account lockout policies, and geo-IP restrictions on VPN and firewall admin access, backed by enhanced logging retention to support forensic investigations.
- Reassess third-party risk management for data processors holding large volumes of customer PII, including ransomware resiliency, backup practices, and contractual notification requirements.
- Offer credit monitoring and fraud alerts to exposed customers while enhancing internal fraud analytics to detect misuse of Social Security numbers and Taxpayer Identification Numbers.
Vendors
Marquis Software SolutionsSonicWall
Threats
Akira ransomwareransomware data breach
Targets
US bankscredit unionsfinancial software providers
Impact
Data Volume:400000+ customer records