Targeted Sectors

Financial services (banks, credit unions), software providers some of these include:

·         1st Northern California Credit Union

·         Abbott Laboratories Employees Credit Union

·         Alltrust Credit Union

·         BayFirst National Bank

·         C&N Bank

·         Cape Cod Five

·         Capital City Bank Group

·         Central Virginia Federal Credit Union

·         Clark County Credit Union

·         Community Bancshares of Mississippi, Inc.

·         Cornerstone Community Financial Credit Union

·         CU Hawaii Federal Credit Union

·         Earthmover Credit Union

·         Educators Credit Union

Targeted Countries

·         United States

BLUF

A successful ransomware attack on financial software vendor Marquis exposed data for over 780,000 customers of various U.S. financial institutions, highlighting significant third-party risk.

Date of First Reported Activity

·         Incident details came to light around December 10-11, 2025.

Date of Last Reported Activity Update

·         December 10, 2025

APT Names

·         Not Applicable (likely criminal organization).

Suspected Criminal Organization Names

·         Akira ransomware gang

IOCs

·         Not publicly disclosed at this time

CVEs and CVSS Vectors

·         It is possible that the likely initial access via phishing or vulnerability exploitation, but specific however the Akira ransomware gang was using CVE-2024-40766 around the same time of this campaign.

Nessus ID

·         Unknown at this time if this is  tied to a CVE however the Akrira ransomware gang had ransomware campaigns that were leveraging CVE-2024-40766 which tenable has plugin ID 206801

Mitigation Data

·         CISA guidance on Akira ransomware is available, and general ransomware mitigations apply (strong backups, patching, MFA).

Malware Names

·         Ransomware variant (name not specified).

Malware Samples

·         Unknown at this time

TTPs

·         T1195.002: Supply Chain Compromise: Compromise of Software Supply Chain Element (targeting a service provider)

·         T1486: Data Encrypted for Impact

·         T1059: Command and Scripting Interpreter (likely used in execution)

Suggested rules / potential hunts

Not much is known about this campaign currently.

Suggested Suricata rules

·         Not enough has been reported at this time, so I am unable to determine what would be useful related to this specific campaign

Detection of known Akira C2 IPs/domains:

Example IOC from a 2025 report; always vet and update IOCs prior to use

alert ip any -> any any (msg:"Akira Ransomware Known C2 IP"; flow:established; classtype:trojan-activity; sid:1000001;)

Use code with caution.

Detection of AnyDesk/LogMeIn connections to untrusted origins (behavioral):

Monitor for the use of remote access software which might indicate abuse

alert tcp any any -> any any (msg:"Suspicious Remote Access Tool Connection (AnyDesk/LogMeIn) - possible Akira TTP"; app-layer-event:remote.access; flow:established; classtype:trojan-activity; sid:1000002;)

Detection of data exfiltration indicators (e.g., large outbound traffic to unusual ports):

This is highly generic and will require tuning for your environment

alert tcp any any -> any any (msg:"Large Outbound Data Transfer Detected - possible Akira exfiltration"; flow:established,to_server; byte_test:4,>,100000000,relative; classtype:attempted-recon; sid:1000003;)

Suggested SentinelOne rules

Suggested rules are indicator rules. They are likely to be noisy

·         Not enough has been reported at this time, so the suggested rules are for activities that would be associated with the Akria Ransomware gang

Suspicious use of wmic.exe or schtasks.exe:

Look for wmic launching processes on a remote system

ProcessName Contains "wmic.exe" And CommandLine Contains "process call create"

Look for schtasks creating tasks in public directories or forcing reboots

(ProcessName Contains "schtasks.exe" And CommandLine Contains "/create" And CommandLine Contains "C:\\Users\\Public") Or (ProcessName Contains "schtasks.exe" And CommandLine Contains "/run" And CommandLine Contains "/F" And CommandLine Contains "/reboot")

Use code with caution.

Attempts to delete shadow copies or modify boot recovery:

Behavioral detection for system recovery inhibition

(ProcessName Contains "vssadmin.exe" And CommandLine Contains "delete shadows") Or (ProcessName Contains "wbadmin.exe" And CommandLine Contains "delete backup") Or (ProcessName Contains "bcdedit.exe" And CommandLine Contains "bootstatuspolicy")

Use code with caution.

EDR/AV termination attempts:

Look for termination of known security product processes

ProcessName Contains "taskkill.exe" And CommandLine Contains "/IM" And (CommandLine Contains "MsMpEng.exe" Or CommandLine Contains "defender" Or CommandLine Contains "sentinel" Or CommandLine Contains "symantec") # Add other EDR/AV names

Suggested Splunk hunts

Suggested rules are indicator rules. They are likely to be noisy

Monitor for high-volume file encryption events, suspicious login attempts to administrative interfaces of third-party software, and unusual data egress.

New user account creation followed by administrative group addition:

·         Correlates the creation of a new user (Event Code 4720) and subsequent addition to a privileged group (Event Code 4728)

index=* EventCode=4720 OR EventCode=4728 | stats count by TargetUserName, EventCode, GroupName

·         wevtutil.exe abuse (clearing logs):

Detect attempts to clear Windows Event Logs to destroy evidence

index=* (ProcessName="wevtutil.exe" OR ImageFilePath="*\\wevtutil.exe") (CommandLine="clear-log" OR CommandLine="cl")

WMI usage for shadow copy deletion (stealthy method):

splunk

·         Akira uses WMI class calls to delete shadow copies without calling vssadmin

index=* (ProcessName="wmic.exe" OR ImageFilePath="*\\wmic.exe") CommandLine="shadowcopy delete"

High frequency of file deletion or file writes (general ransomware activity):

splunk

·         General indicator of mass file modification/deletion

index=* sourcetype=WinEventLog:Security EventCode=4663 OR EventCode=4656 | bucket span=15m _time | stats count by _time, FileName, EventCode | where count > 1000

Delivery Method

Compromise of a third-party software/service provider (Marquis).

Email Samples

Unknown at this tim

References

BleepingComputer: Provides details on the impact across over 74 US banks and credit unions

·         hxxps://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/.

TechCrunch: Covers the initial alerts sent to banks and credit unions following the attack.

·         hxxps://techcrunch.com/2025/12/03/fintech-firm-marquis-alerts-dozens-of-us-banks-and-credit-unions-of-a-data-breach-after-ransomware-attack/.

Reuters: A news report on the fintech firm notifying affected businesses after the breach

·         hxxps://www.reuters.com/technology/fintech-firm-marquis-notifies-affected-business-after-ransomware-breach-2025-12-03/.

Security Affairs: Reports that the breach impacted more than 780,000 individuals

·         hxxps://securityaffairs.com/185320/data-breach/marquis-data-breach-impacted-more-than-780000-individuals.html.

PR Newswire: An announcement regarding an investigation into Marquis Software Solutions for the data breach

·         hxxps://www.prnewswire.com/news-releases/privacy-alert-marquis-software-solutions-under-investigation-for-data-breach-of-over-780-000-financial-records-302635934.html.

Security Credit Union (Customer Notification): A specific notification letter to members of a credit union affected by the incident

·         hxxps://www.securitycu.org/marquis-data-incident/.

New Hampshire Attorney General's Office Filing: A public notice detailing the incident as filed with state regulators

·         hxxps://mm.nh.gov/files/uploads/doj/remote-docs/covantage-credit-union-marquis-software-solutions-20251126.pdf