Marquis Software Solutions is notifying banks and credit unions of a ransomware attack that leaked their customer data. The Texas-based digital and physical marketing firm learned of the ransomware cyber-attack on 14 August 2025, after detecting suspicious activity on its network. It responded by launching an investigation and notifying law enforcement. The probe determined that the threat actor breached its SonicWall firewall to gain initial access.[1]
After gaining access, the attackers exfiltrated certain files belonging to its business clients, containing customer data. “The review determined that the files contained personal information received from certain business customers,” it stated.
According to regulatory disclosures filed in numerous states, including the State of Maine, the ransomware attack leaked the names, dates of birth, postal addresses, Taxpayer Identification Numbers, and Social Security Numbers. It also exposed bank account numbers, debit, and credit card numbers of over 400,000 customers.
Marquis serves over 700 banks and credit unions, of which 74 have been confirmed victims of the ransomware attack. However, the number of affected individuals is likely to increase as the scope of the incident becomes clearer. Meanwhile, the fintech company began notifying business clients between 27 October 2025, and 25 November 2025. Efforts to alert impacted individuals were also ongoing in collaboration with the affected banks and credit unions. So far, Norway Savings Bank has notified 51,000 victims, while New Hampshire’s CoVantage Credit Union has alerted 160,000 affected individuals.
Several data breach notices have also been filed in Iowa, Texas, Massachusetts, and New Hampshire. Currently, Texas has the most data breach victims, at 354,000, while Maine has 42,784. Surprisingly, the Maine State Credit Union accounted for most data breach victims across the state, with 38,334 customers, or about one in every nine affected people being its members.
Yet, Marquis has no evidence that the threat actor has published or misused the stolen data for any nefarious activities. “At this time, Marquis has no evidence of misuse or attempted misuse of this personal information as a result of this incident,” it stated. It remains unclear if the fintech company has paid any ransom to prevent threat actors from leaking the stolen information or was negotiating with the attackers. Usually, the attackers do not publish the stolen data until ransom negotiations stall. However, some unconfirmed reports alleged that Marquis had paid extortion fees shortly after the ransomware attack to prevent the threat actors from leaking the stolen information. It could also explain why no cybercrime gang has taken responsibility for the ransomware attack. “Marquis paid a ransomware shortly after 08/14/25,” alleged Iowa’s Community 1st Credit Union (C1st). “On 10/27/25 C1st was notified that nonpublic personal information related to C1st members was included in the Marquis breach.” Meanwhile, the fintech software solutions provider is offering complimentary credit monitoring and identity theft protection services to the affected individuals.
Akira linked to the Marquis ransomware attack - At the time of this report, no cybercrime gang has taken responsibility for the ransomware attack, and the fintech company has yet to attribute it to any threat group. However, the Russian-speaking gang Akira ransomware was observed exploiting SonicWall firewalls to breach organizations. Since 2024, it has exploited SonicWall’s CVE-2024-40766 vulnerability to steal VPN login credentials and one-time passwords (OTPs) to bypass multi-factor authentication (MFA).
The attacks, which began in mid-July 2025, targeted SonicWall Generation 7 firewalls with SSLVPN enabled, prompting the enterprise security solutions company to direct customers to turn off the feature or apply the recommended security fixes.
Observing a small gap between the exploitation of SonicWall firewalls and the deployment of ransomware, threat intelligence firm Arctic Wolf suggested that the product was affected by a zero-day vulnerability. “In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access,” the cybersecurity firm stated. “In the incidents reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSLVPNs.” However, Marquis has yet to disclose which feature was exploited during the ransomware attack for comprehensive attribution and threat hunting.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.digitalhealth.net/2025/12/nhs-trust-launches-legal-action-after-hackers-steal-patient-and-staff-data/
Comments