Marquis Software Solutions Ransomware Attack: A Supply Chain Vulnerability Exposed
Executive Summary
In August 2025, Marquis Software Solutions, a Texas-based fintech firm serving over 700 financial institutions, experienced a ransomware attack that compromised sensitive data of more than 780,000 individuals across at least 80 banks and credit unions. The attackers exploited a vulnerability in SonicWall's firewall backup service, gaining unauthorized access to Marquis's network and exfiltrating personal information, including names, addresses, Social Security numbers, and financial account details. This breach underscores the critical importance of securing third-party services and the potential cascading effects of supply chain vulnerabilities. The incident highlights the growing trend of cybercriminals targeting supply chain weaknesses to infiltrate organizations, emphasizing the need for comprehensive security assessments and robust vendor management practices to mitigate such risks.
Why This Matters Now
The Marquis incident underscores the escalating threat of supply chain attacks, where vulnerabilities in third-party services can lead to widespread data breaches. As organizations increasingly rely on external vendors, ensuring the security of these partners is paramount to prevent similar incidents and protect sensitive customer information.
Attack Path Analysis
Attackers exploited a vulnerability in SonicWall's firewall backup service to access Marquis Software Solutions' firewall configurations, leading to unauthorized network entry. They escalated privileges by leveraging stolen credentials and misconfigurations, facilitating lateral movement across Marquis' internal systems. Establishing command and control channels, they exfiltrated sensitive data of over 400,000 individuals from 74 banks and credit unions. The attackers then deployed ransomware, encrypting critical systems and demanding a ransom to prevent data leakage.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a vulnerability in SonicWall's firewall backup service to access Marquis Software Solutions' firewall configurations, leading to unauthorized network entry.
Related CVEs
CVE-2024-40766
CVSS 9.8A remote code execution vulnerability in SonicOS allows unauthenticated attackers to execute arbitrary code on affected devices.
Affected Products:
SonicWall SonicOS – 5.9.2.14-12o and earlier, 6.5.4.14-109n and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Command and Scripting Interpreter
Application Layer Protocol
Data Encrypted for Impact
Impair Defenses
Obfuscated Files or Information
Inhibit System Recovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Incident Handling
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Direct ransomware impact on 74 U.S. banks through SonicWall backup breach exposes critical vulnerabilities in encrypted traffic protection and egress security controls.
Computer/Network Security
SonicWall lawsuit highlights vendor negligence risks in cybersecurity supply chain, emphasizing need for zero trust segmentation and multicloud visibility frameworks.
Financial Services
Ransomware disruption demonstrates urgent requirements for threat detection, anomaly response capabilities, and compliance with NIST CSF financial sector protection standards.
Information Technology/IT
Backup system compromise reveals critical gaps in east-west traffic security and policy enforcement for IT infrastructure protecting sensitive financial data.
Sources
- Marquis sues SonicWall over backup breach that led to ransomware attackhttps://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-backup-breach-that-led-to-ransomware-attack/Verified
- Marquis sues firewall provider SonicWall, alleges security failings with its firewall backup led to ransomware attackhttps://techcrunch.com/2026/02/24/marquis-sonicwall-lawsuit-ransomware-firewall-breach/Verified
- Fintech firm Marquis blames hack at firewall provider SonicWall for its data breachhttps://techcrunch.com/2026/01/29/fintech-firm-marquis-blames-hack-at-firewall-provider-sonicwall-for-its-data-breach/Verified
- Over 70 US banks and credit unions affected by Marquis ransomware breach - here's what we knowhttps://www.techradar.com/pro/security/over-70-us-banks-and-credit-unions-affected-by-marquis-ransomware-breach-heres-what-we-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial unauthorized access may have been constrained, reducing the likelihood of exploiting firewall configurations.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted, reducing the risk of accessing sensitive data.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been hindered, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been blocked, reducing the risk of data loss.
The attacker's ability to deploy ransomware may have been limited, reducing the impact on critical systems.
Impact at a Glance
Affected Business Functions
- Customer Data Management
- Digital Marketing Services
- Compliance Reporting
Estimated downtime: 21 days
Estimated loss: $5,000,000
Personal information of customers from 74 U.S. banks, including names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and financial account information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Deploy East-West Traffic Security to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Establish Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Regularly update and patch all systems, including firewalls, to mitigate known vulnerabilities.
