Executive Summary

Marquis Software Solutions, a Texas-based provider of data analytics, compliance, and marketing services to the financial sector, experienced a significant data breach following a ransomware attack on August 14, 2025. The incident, attributed to exploitation of a vulnerability in the SonicWall firewall, resulted in unauthorized access to sensitive personal information belonging to customers of over 74 US banks and credit unions. More than 400,000 individuals were affected, with compromised data including names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information (excluding access codes), and dates of birth. While there is currently no evidence that the stolen data has been misused or published, reports indicate that a ransom was paid to prevent data exposure. Marquis has since implemented enhanced security controls. This report provides a detailed technical analysis of the breach, its impact, and recommended mitigation steps, based solely on verified primary sources (BleepingComputer, Dec 3, 2025, Strauss Borrelli PLLC, Dec 2, 2025, Vermont Attorney General, Nov 26, 2025).

Technical Information

The attack on Marquis Software Solutions began with the exploitation of a vulnerability in the SonicWall SSL VPN, specifically CVE-2024-40766. This vulnerability allowed attackers to steal VPN usernames, passwords, and one-time password (OTP) seeds, enabling them to bypass multi-factor authentication (MFA) and gain initial access to the Marquis network (BleepingComputer, Dec 3, 2025). The attack methodology aligns with the tactics, techniques, and procedures (TTPs) of the Akira ransomware group, which has a documented history of targeting SonicWall and other VPN devices for initial access.

Once inside the network, the attackers conducted reconnaissance, escalated privileges within the Windows Active Directory environment, and exfiltrated sensitive data before deploying ransomware. The tools and malware used in this attack are consistent with those previously attributed to Akira ransomware operations. These include credential dumping tools such as Mimikatz and LaZagne, remote access utilities like AnyDesk and LogMeIn, scripting tools including PowerShell and VBScript, and data exfiltration utilities such as WinRAR, 7-Zip, FileZilla, WinSCP, and RClone. For command and control (C2) and lateral movement, the attackers leveraged Ngrok, SystemBC, and Cobalt Strike. Security evasion was achieved using tools like PowerTool and BYOVD (Bring Your Own Vulnerable Driver) techniques, specifically with POORTRY and STONESTOP (CISA, Nov 13, 2025).

The attackers’ workflow followed a typical double extortion model: after exfiltrating data, they encrypted systems and demanded a ransom, threatening to leak the stolen data if payment was not made. According to a now-deleted notification from Community 1st Credit Union, Marquis paid the ransom shortly after the attack to prevent the public release of sensitive information (BleepingComputer, Dec 3, 2025).

The compromised data included highly sensitive personal and financial information, such as names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information (without security or access codes), and dates of birth. This data was received by Marquis from its business customers, which include over 700 banks, credit unions, and mortgage lenders. The breach specifically impacted customers of at least 74 financial institutions, with over 400,000 individuals affected (BleepingComputer, Dec 3, 2025; Strauss Borrelli PLLC, Dec 2, 2025; Vermont Attorney General, Nov 26, 2025).

The Akira ransomware group, active since March 2023, is known for exploiting VPN vulnerabilities and targeting organizations in the financial, manufacturing, education, IT, healthcare, and food/agriculture sectors. The group is associated with aliases such as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, and may have links to the defunct Conti group. Akira’s operations are characterized by rapid data exfiltration, often within hours of initial access, and the use of double extortion tactics (CISA, Nov 13, 2025).

The technical sequence of the attack, mapped to the MITRE ATT&CK framework, included the following stages: exploitation of a public-facing application (T1190), use of valid accounts (T1078), external remote services (T1133), brute force and password spraying (T1110, T1110.003), command and scripting interpreter execution (T1059.001, T1059.003, T1059.005), account manipulation (T1098), privilege escalation (T1068), defense evasion (T1027, T1562.001, T1562.004), credential access (T1003, T1555), discovery (T1016, T1018, T1046, T1057, T1069, T1082, T1087, T1482), lateral movement (T1021, T1550.002), data collection and archiving (T1560.001), command and control (T1090, T1105, T1219, T1572), exfiltration (T1048, T1537, T1567.002), and impact (T1486, T1490, T1657).

The evidence supporting these findings is of high quality, as it is based on direct technical reporting from BleepingComputer, legal analysis from Strauss Borrelli PLLC, and official notifications to state authorities, all cross-referenced with CISA advisories.

Affected Versions & Timeline

The breach exploited a vulnerability in the SonicWall SSL VPN, specifically CVE-2024-40766. This vulnerability affected unpatched versions of SonicWall firewall devices. Even after patches were released, many organizations failed to reset VPN credentials, allowing attackers to continue accessing systems with previously stolen credentials (BleepingComputer, Dec 3, 2025).

The confirmed timeline is as follows: On August 14, 2025, Marquis detected suspicious activity and confirmed a ransomware attack via the SonicWall firewall. Between August and October 2025, the company conducted an investigation and began notifying affected customers and authorities. A ransom was reportedly paid during this period to prevent data exposure. On November 26, 2025, Marquis officially notified the Vermont Attorney General’s Office. Public disclosures and legal investigations were published on December 2 and 3, 2025 (BleepingComputer, Dec 3, 2025; Strauss Borrelli PLLC, Dec 2, 2025; Vermont Attorney General, Nov 26, 2025).

Threat Activity

The threat actor responsible for this breach is attributed with high confidence to the Akira ransomware group. The group exploited the SonicWall SSL VPN vulnerability (CVE-2024-40766) to gain initial access, using stolen credentials and OTP seeds to bypass MFA. Once inside, the attackers performed network reconnaissance, escalated privileges, and exfiltrated sensitive data before deploying ransomware to encrypt systems.

The tools and techniques used in this attack are consistent with Akira’s known operations, including the use of credential dumping tools (Mimikatz, LaZagne), remote access software (AnyDesk, LogMeIn), scripting and execution tools (PowerShell, VBScript), data exfiltration utilities (WinRAR, 7-Zip, FileZilla, WinSCP, RClone), and C2 tunneling tools (Ngrok, SystemBC). The attackers also used Cobalt Strike for post-exploitation and lateral movement, and employed BYOVD techniques for privilege escalation.

Akira is known for rapid data exfiltration and double extortion tactics, threatening to leak stolen data if ransom demands are not met. In this case, a ransom was reportedly paid to prevent the public release of sensitive information. As of the latest reporting, there is no evidence that the stolen data has been misused or published (BleepingComputer, Dec 3, 2025).

The attack demonstrates a high level of sophistication and highlights the risks associated with third-party service providers in the financial sector. The evidence for these conclusions is strong, based on direct technical reporting, legal analysis, and official notifications.

Mitigation & Workarounds

The following mitigation steps and workarounds are prioritized by severity:

Critical: All organizations using SonicWall SSL VPN devices must immediately ensure that all devices are fully patched for CVE-2024-40766 and any other known vulnerabilities. It is essential to reset all VPN credentials, including usernames, passwords, and OTP seeds, even if patches have already been applied, as attackers may have harvested credentials prior to patching (BleepingComputer, Dec 3, 2025).

High: Enforce multi-factor authentication (MFA) for all remote access and VPN accounts, and verify that OTP seeds have not been compromised. Rotate all local and administrative account passwords, and delete old or unused accounts to reduce the attack surface. Apply account lockout policies to prevent brute force and password spraying attacks.

High: Increase logging retention for firewall and VPN devices, and regularly review logs for signs of unauthorized access or suspicious activity. Apply geo-IP filtering to restrict remote access to only those countries necessary for business operations. Implement policies to automatically block connections to and from known botnet command and control servers at the firewall.

Medium: Provide affected individuals with complimentary credit monitoring and identity protection services, as Marquis has done. Notify all impacted customers and regulatory authorities in accordance with state and federal requirements.

Medium: Conduct a comprehensive review of third-party vendor security controls and incident response procedures. Ensure that all vendors handling sensitive data are required to maintain up-to-date security practices and are subject to regular security assessments.

Low: Educate employees and customers about phishing risks and best practices for protecting personal information. Encourage the use of strong, unique passwords and regular password changes.

These recommendations are based on the technical findings from the incident and align with best practices for mitigating ransomware and credential-based attacks.

References

https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/ (Dec 3, 2025)

https://straussborrelli.com/2025/12/02/marquis-software-solutions-data-breach-investigation/ (Dec 2, 2025)

https://ago.vermont.gov/document/2025-11-26-marquis-software-solutions-data-breach-notice-consumers (Nov 26, 2025)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a (Nov 13, 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks associated with external vendors and service providers. Our platform enables continuous risk assessment, automated evidence collection, and streamlined incident response coordination for organizations in the financial sector and beyond. For questions or further information, please contact us at ops@rescana.com.