Executive Summary

On February 10, 2026, Marquis Health Services, a subacute rehabilitation and skilled nursing care provider, disclosed it was the victim of a ransomware attack. In a statement, the company attributed the breach to a compromise of its SonicWall cloud backup systems. This access allowed threat actors to encrypt vital data, leading to significant operational disruptions. The attack vector is particularly concerning as it demonstrates a sophisticated understanding by attackers of business continuity processes. By targeting and compromising the backup infrastructure, the attackers aimed to ensure their ransomware attack would be successful by crippling the primary means of recovery. This incident highlights a critical supply chain risk and underscores the necessity for robust security controls around all third-party services, especially those integral to disaster recovery.

Threat Overview

• Victim: Marquis Health Services, a healthcare provider.
• Attack Type: Ransomware.
• Attack Vector: Compromise of a third-party service, specifically SonicWall cloud backup systems.
• Tactic: The attackers used a 'first-strike' on the backup system. This is a calculated move to neutralize the victim's recovery capabilities before deploying the ransomware to the primary systems. This greatly increases the pressure on the victim to pay the ransom.
• Threat Actor: The specific ransomware group was not identified in the initial reports.

This attack is a textbook example of a Supply Chain Attack, where an organization is breached through a trusted third-party vendor or service. It also aligns with the ransomware tactic of T1486 - Data Encrypted for Impact combined with T1562.008 - Impair Defenses: Disable Cloud Logs (or in this case, backups).

Technical Analysis

The exact method of compromise for the SonicWall cloud backup system was not detailed, but several possibilities exist:

1. Compromised Credentials: The attackers may have obtained administrative credentials for the SonicWall cloud portal via phishing, credential stuffing, or purchase from an initial access broker.
2. Vulnerability Exploitation: A zero-day or unpatched vulnerability in the SonicWall cloud platform or an associated on-premises appliance could have been exploited. SonicWall products have historically been targets for threat actors.
3. Misconfiguration: Insecure configuration of the backup system, such as publicly exposed management interfaces or weak passwords, could have provided an easy entry point.

Once the attackers gained control of the backup system (T1078 - Valid Accounts), they could perform several malicious actions:

• Delete Backups: Erase all existing backup data to prevent restoration. (T1565 - Data Manipulation)
• Exfiltrate Data from Backups: Before deletion, steal sensitive data directly from the backup repository for double extortion. (T1537 - Transfer Data to Cloud Account)
• Deploy Ransomware via Backup Agent: Use the backup system's own management agents to push the ransomware payload to all connected production systems.

This 'attack the recovery' strategy is highly effective and demonstrates a mature adversary.

Impact Assessment

The impact on a healthcare provider like Marquis Health Services is severe:

• Operational Disruption: Encryption of patient records, scheduling systems, and other critical applications can bring patient care to a standstill.
• Patient Safety Risk: Inability to access patient histories, medication records, and treatment plans poses a direct risk to patient safety.
• Data Breach & Regulatory Fines: As a healthcare provider, the exfiltration of Protected Health Information (PHI) from backups constitutes a major data breach under HIPAA, leading to mandatory reporting, patient notification, and potentially massive fines.
• Increased Recovery Costs: Without viable backups, the organization faces a difficult choice between paying a ransom, attempting to use potentially unreliable decryptors, or rebuilding their entire IT infrastructure from scratch, a process that can take weeks or months.

Cyber Observables for Detection

Detection & Response

• Monitor Cloud Admin Activity: Ingest and actively monitor all administrative logs from your cloud backup provider. Alert on any sensitive actions, such as backup deletion, policy changes, or the creation of new admin users.
• Immutable Backups: Ensure you are using immutable storage for your backups. This feature, offered by most cloud providers, prevents data from being deleted or altered for a specified period, even by an administrator.
• 3-2-1 Backup Rule: Implement the 3-2-1 rule: three copies of your data, on two different media, with one copy off-site and offline/immutable. The compromise of a single cloud provider should not be a single point of failure.
• D3FEND Techniques: Use D3-DAM: Domain Account Monitoring (extended to cloud admin accounts) to detect anomalous login behavior. Implement D3-ACH: Application Configuration Hardening by enabling immutability and object lock on cloud storage.

Mitigation

1. Secure Backup Administrator Accounts: Protect all accounts with access to backup systems with the highest level of security. This includes using strong, unique passwords and, most importantly, enforcing phishing-resistant MFA.
2. Use Immutable Storage: Store critical backups in an immutable fashion. This is a technical control that makes it impossible for an attacker to delete or encrypt your recovery data.
3. Network Isolation: The management interfaces for on-premises backup appliances should be on a separate, highly restricted network segment, with no direct internet access.
4. Third-Party Risk Management: Regularly audit the security posture of your critical service providers. Understand their security controls and ensure they meet your organization's standards.
5. Test Recovery Regularly: Don't just perform backups; regularly test your ability to restore from them. This ensures the data is viable and that your team knows the recovery process.