Healthcare Provider's Ransomware Attack Traced to Compromised SonicWall Cloud Backups

Executive Summary

On February 10, 2026, Marquis Health Services, a subacute rehabilitation and skilled nursing care provider, disclosed it was the victim of a ransomware attack. In a statement, the company attributed the breach to a compromise of its SonicWall cloud backup systems. This access allowed threat actors to encrypt vital data, leading to significant operational disruptions. The attack vector is particularly concerning as it demonstrates a sophisticated understanding by attackers of business continuity processes. By targeting and compromising the backup infrastructure, the attackers aimed to ensure their ransomware attack would be successful by crippling the primary means of recovery. This incident highlights a critical supply chain risk and underscores the necessity for robust security controls around all third-party services, especially those integral to disaster recovery.

Threat Overview

Victim: Marquis Health Services, a healthcare provider.
Attack Type: Ransomware.
Attack Vector: Compromise of a third-party service, specifically SonicWall cloud backup systems.
Tactic: The attackers used a 'first-strike' on the backup system. This is a calculated move to neutralize the victim's recovery capabilities before deploying the ransomware to the primary systems. This greatly increases the pressure on the victim to pay the ransom.
Threat Actor: The specific ransomware group was not identified in the initial reports.

This attack is a textbook example of a Supply Chain Attack, where an organization is breached through a trusted third-party vendor or service. It also aligns with the ransomware tactic of T1486 - Data Encrypted for Impact combined with T1562.008 - Impair Defenses: Disable Cloud Logs (or in this case, backups).

Technical Analysis

The exact method of compromise for the SonicWall cloud backup system was not detailed, but several possibilities exist:

Compromised Credentials: The attackers may have obtained administrative credentials for the SonicWall cloud portal via phishing, credential stuffing, or purchase from an initial access broker.
Vulnerability Exploitation: A zero-day or unpatched vulnerability in the SonicWall cloud platform or an associated on-premises appliance could have been exploited. SonicWall products have historically been targets for threat actors.
Misconfiguration: Insecure configuration of the backup system, such as publicly exposed management interfaces or weak passwords, could have provided an easy entry point.

Once the attackers gained control of the backup system (T1078 - Valid Accounts), they could perform several malicious actions:

Delete Backups: Erase all existing backup data to prevent restoration. (T1565 - Data Manipulation)
Exfiltrate Data from Backups: Before deletion, steal sensitive data directly from the backup repository for double extortion. (T1537 - Transfer Data to Cloud Account)
Deploy Ransomware via Backup Agent: Use the backup system's own management agents to push the ransomware payload to all connected production systems.

This 'attack the recovery' strategy is highly effective and demonstrates a mature adversary.

Impact Assessment

The impact on a healthcare provider like Marquis Health Services is severe:

Operational Disruption: Encryption of patient records, scheduling systems, and other critical applications can bring patient care to a standstill.
Patient Safety Risk: Inability to access patient histories, medication records, and treatment plans poses a direct risk to patient safety.
Data Breach & Regulatory Fines: As a healthcare provider, the exfiltration of Protected Health Information (PHI) from backups constitutes a major data breach under HIPAA, leading to mandatory reporting, patient notification, and potentially massive fines.
Increased Recovery Costs: Without viable backups, the organization faces a difficult choice between paying a ransom, attempting to use potentially unreliable decryptors, or rebuilding their entire IT infrastructure from scratch, a process that can take weeks or months.

Cyber Observables for Detection

Type

log_source

Value

Cloud Backup Provider Logs

Description

Monitor for anomalous logins to the cloud backup management portal, especially from unrecognized IP addresses or geographic locations.

Context

Cloud provider audit logs (e.g., AWS CloudTrail, Azure Activity Log)

Type

api_endpoint

Value

DELETE /api/backups

Description

Any API calls to delete backup sets or storage repositories should be treated as a critical, high-fidelity alert.

Context

Cloud provider API logs

Type

user_account_pattern

Value

Creation of new admin accounts

Description

An attacker may create a new administrative account in the backup platform for persistence.

Context

User management logs in the backup service portal

Type

network_traffic_pattern

Value

Large data egress from backup repository

Description

Unusually large data transfers out of the cloud backup storage to an unknown destination could indicate data exfiltration before a ransomware attack.

Context

Cloud storage access logs, network flow data

Detection & Response

Monitor Cloud Admin Activity: Ingest and actively monitor all administrative logs from your cloud backup provider. Alert on any sensitive actions, such as backup deletion, policy changes, or the creation of new admin users.
Immutable Backups: Ensure you are using immutable storage for your backups. This feature, offered by most cloud providers, prevents data from being deleted or altered for a specified period, even by an administrator.
3-2-1 Backup Rule: Implement the 3-2-1 rule: three copies of your data, on two different media, with one copy off-site and offline/immutable. The compromise of a single cloud provider should not be a single point of failure.
D3FEND Techniques: Use D3-DAM: Domain Account Monitoring (extended to cloud admin accounts) to detect anomalous login behavior. Implement D3-ACH: Application Configuration Hardening by enabling immutability and object lock on cloud storage.

Mitigation

Secure Backup Administrator Accounts: Protect all accounts with access to backup systems with the highest level of security. This includes using strong, unique passwords and, most importantly, enforcing phishing-resistant MFA.
Use Immutable Storage: Store critical backups in an immutable fashion. This is a technical control that makes it impossible for an attacker to delete or encrypt your recovery data.
Network Isolation: The management interfaces for on-premises backup appliances should be on a separate, highly restricted network segment, with no direct internet access.
Third-Party Risk Management: Regularly audit the security posture of your critical service providers. Understand their security controls and ensure they meet your organization's standards.
Test Recovery Regularly: Don't just perform backups; regularly test your ability to restore from them. This ensures the data is viable and that your team knows the recovery process.

The core failure in the Marquis Health Services breach was the ability of attackers to destroy backups. The most powerful defense against this is to harden the configuration of the cloud backup storage itself by enabling immutability. On platforms like AWS S3, this is achieved with 'Object Lock' in Compliance mode. On Azure, it's 'Immutable storage for blobs'. When enabled, this feature makes it technically impossible to delete or modify data for a predefined retention period, even for an account with root-level privileges. Organizations must configure their cloud backup solutions to write data to an immutable bucket or container with a retention policy that aligns with their business continuity needs (e.g., 30 days). This single control would have rendered the attacker's attempt to cripple the recovery process useless, as the backups would have remained intact and available for restoration, completely undermining the ransomware attack.

Marquis Health Services Discloses Ransomware Incident Stemming from Compromised SonicWall Cloud Backup System