Full Report
Marquis, a Texas-based financial services provider, revealed this week that a ransomware gang stole the data of over 670,000 individuals in an August 2025 cyberattack that also disrupted operations at 74 banks across the United States. [...]
Analysis Summary
# Incident Report: Marquis Ransomware Attack and Data Breach
## Executive Summary
In August 2025, the Texas-based financial services provider Marquis suffered a significant ransomware attack that resulted in the exfiltration of sensitive data belonging to 672,075 individuals. The attack, facilitated by a compromised firewall, caused operational disruptions across 74 U.S. banks and has since led to over 36 class-action lawsuits and a legal battle against the firewall vendor.
## Incident Details
- **Discovery Date:** August 14, 2025
- **Incident Date:** August 14, 2025
- **Affected Organization:** Marquis
- **Sector:** Financial Services / Fintech
- **Geography:** United States (Texas-based)
## Timeline of Events
### Initial Access
- **Date/Time:** August 14, 2025
- **Vector:** Exploitation of a SonicWall firewall vulnerability.
- **Details:** Attackers leveraged compromised credentials or tokens associated with the "MySonicWall" cloud backup service to gain access to the organization's perimeter security.
### Lateral Movement
- **Details:** Specific lateral movement techniques were not detailed in the report, though the attackers successfully navigated from the perimeter to internal file systems containing sensitive consumer data.
### Data Exfiltration/Impact
- **Details:** Personal Identifiable Information (PII) of 672,075 individuals was stolen. Data included names, DOBs, SSNs, Taxpayer IDs, and financial account information. The attack disrupted services for 74 client banks.
### Detection & Response
- **Discovery:** Marquis identified the ransomware activity on August 14, 2025.
- **Response:** The organization initiated an investigation, eventually linking the breach to a SonicWall cloud backup vulnerability disclosed in September 2025. Data review and notification procedures were finalized by December 10, 2025.
## Attack Methodology
- **Initial Access:** Compromised SonicWall firewall via cloud backup credential/token theft.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Use of legitimate credentials/tokens harvested from a third-party cloud service.
- **Credential Access:** Extraction of access credentials from MySonicWall cloud backup.
- **Discovery:** Not specified.
- **Lateral Movement:** Internal network traversal to reach PII repositories.
- **Collection:** Gathering of consumer PII and financial records.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure prior to encryption.
- **Impact:** Ransomware encryption of systems and operational disruption at scale (74 banks).
## Impact Assessment
- **Financial:** Significant legal fees (36+ class actions), loss of revenue, and potential "diminution in enterprise value."
- **Data Breach:** 672,075 individuals; includes SSNs, Taxpayer IDs, and account numbers.
- **Operational:** Disruption of services for 74 U.S. banks and credit unions.
- **Reputational:** Public litigation against a primary vendor and loss of customer trust.
## Indicators of Compromise
- **Network indicators:** Connections to hxxps[://]MySonicWall[.]com (unauthorized credential/token sync).
- **File indicators:** Ransomware notes and encrypted file extensions (specific variant not named, but attributed to a "ransomware gang").
- **Behavioral indicators:** Unusual access to cloud backup accounts followed by an immediate breach of on-premise firewalls.
## Response Actions
- **Containment:** Isolated the affected systems to prevent further spread to customer networks.
- **Eradication:** Investigation conducted by third-party forensic firms (implied by references to Mandiant).
- **Recovery:** Restoration of services for affected banking clients.
- **Notification:** Sent data breach notification letters to 672,075 affected individuals.
## Lessons Learned
- **Supply Chain Vulnerability:** Third-party cloud management tools for on-premise hardware (firewalls) represent a critical attack vector.
- **Detection Lag:** While the attack was detected in August, the full root cause (the SonicWall cloud breach) was not fully correlated until later in the year.
- **Legal Recourse:** Organizations are increasingly holding security vendors legally accountable for "gross negligence" regarding cloud security.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure all administrative cloud portals (like MySonicWall) require robust MFA to prevent credential reuse.
- **Credential Rotation:** Immediately reset all credentials and tokens if a vendor reports a security incident affecting cloud-side management services.
- **Segmentation:** Ensure that even if a firewall is compromised, the data repositories containing high-value PII are isolated and require secondary authentication.
- **Vulnerability Patching:** Rapidly apply patches/updates to perimeter security devices.