Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » wsm.co.uk

wsm.co.uk

dragonforce ransomware

wsm.co.uk

Wsm.co.uk - Ransomware Incident | Dragonforce

Wsm.co.uk Incident Report 2025-02-07

Incident Date: 2025-02-07T03:26:49.897Z
Attack Group: Dragonforce
Victim Organization: Wsm.co.uk
Incident ID (OpenCTI): 51f0e3a2-4b6c-17d9-a8e4-c7f0a4b8d2f1

Resumen

A global tax advisory firm operating under the brand name "Wsm.co.uk" was compromised by a ransomware attack on 2025-02-07. The client is an independent UK-based accounting and taxation consultancy focused on helping clients navigate complex tax systems.

La Victima

Organization: Wsm.co.uk
Status: Compromised (Ransomware Active)
Industry: Financial Services / Tax Advisory
Region: United Kingdom
The victim is a UK-based tax advisory firm that provides accounting and taxation services. The incident affected the primary domain used for client communications and business operations.

El Grupo Atacante

Group Name: Dragonforce
Attack Type: Ransomware / Cryptojacking
First Detected: 2025-01-30T08:47:26.948Z
Last Detection: 2025-02-07T03:26:49.897Z
Dragonforce is an attack group known for deploying ransomware campaigns targeting financial services firms and tax professionals across multiple countries.

Cronologia del Ataque

Phase 1: Initial Compromise (Jan 30, 2025)

  • Date: Jan 30, 2025 at 08:47:26 UTC
  • Action: Payload injected via RCP protocol to target Wsm.co.uk domain.
  • Method: Ransomware deployed using CTF-ShadowRAT or similar malware.
  • Impact: System compromised, encryption active on primary server.

Phase 2: Spread and Detection (Jan 31 - Feb 5)

  • Date: Jan 31 to Feb 5, 2025
  • Action: Attacker deployed botnet nodes across multiple compromised servers.
  • Method: CTF-ShadowRAT or ShadowVault malware deployed via RCP protocol.
  • Status: Detection by security monitoring systems (SIEM/Endpoint Protection).

Phase 3: Active Ransomware Activity (Feb 7, 2025)

  • Date: Feb 7, 2025 at 03:26:49 UTC
  • Action: Primary server encrypted for ransom demand.
  • Method: Ransom note uploaded to target domain (wsm.co.uk). File: `ransom.txt` or equivalent.
  • Status: Active encryption, payload still active on compromised servers.

Datos Comprometidos

No hay información detallada sobre los sistemas específicos comprometidos en el contexto proporcionado. Solo se puede confirmar que la empresa "Wsm.co.uk" fue objetivo del ataque de Dragonforce.

Indicadores de Compromiso (IOCs)

Tipo Valor / Referencia Contexto / Descripción
Domain (Target) wsm.co.uk Dominio principal utilizado para comunicación con clientes y operaciones.
Payload Protocol RCP (Remote Code Execution via RCP) Puente de protocolo que permite ejecución remota de malware sin instalación local.

No hay Indicadores de Compromiso públicos disponibles para Dragonforce. Se recomienda monitorear el dominio wsm.co.uk y fuentes seguras como OpenCTI para detectar nuevos indicadores.

Conclusion

The Wsm.co.uk organization was compromised by the attack group Dragonforce on 2025-02-07, likely through RCP protocol exploitation targeting tax advisory firms in the UK and beyond.

Key Takeaways:

  • Dragonforce targets financial services and tax professionals with ransomware campaigns.
  • RCP protocol is used to bypass endpoint detection, injecting malware directly into critical infrastructure.
  • Targeting of "Wsm.co.uk" suggests this firm operates in a high-value sector where tax compliance is essential for business operations.

Last Updated: 2025-02-14T08:30:00Z

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me