canadianrecycler.ca - Toronto, Ontario -- Businesses across North America are reeling after a serious cyber attack threatened the data of 300 auto recycling businesses, including at least four based in Canada.

The attack, which occured on the evening of August 6, targeted businesses using SimpleHelp, a program that allows remote access to computer facilities. Those businesses that were caught up in the attack were locked out of their own databases and sent ransom notes demanding payment for the return of access.

Plazek Auto Recycling, near Hamilton, Ontario, was one of the businesses affected by the incident. According to Marc Plazek, employees only discovered the situation when they arrived at work to discover they were locked out of their computers — and discovered 30 copies of an identical ransom note on the printer.

“It was as if they arrived at our front gate, locked us in and said ‘we’ve got the only key.’ Except it was all done online.”

The ransomware software, LockBit Blpack, was developed by LockBit, a sophisticated cybercriminal organization. The group employs a dual-threat approach: it not only encrypt victims’ critical data and demand ransom payments for decryption keys, but also threaten to publicly leak sensitive information if its demands aren’t met – a tactic known as double extortion. First appearing on shadowy Russian forums in early 2020, LockBit has quickly established itself as a dominant force in the global ransomware landscape.

Like the other Canadian businesses affected by the hack, Plazek Auto Recycling did not respond to the threat. According to Marc Plazek, the company didn’t even entertain the idea of paying.

“We had a similar thing happen in 2019. We spoke with our insurance company who told us not to pay. They said there would be no reason for the hackers to bother living up to their word anyway.”

Because of the previous incident, Plazek Auto Recycling’s team had set up security measures and backed-up the computer system. The company was able to scrub its system of the malware and save all but a few hours worth of its records.

Other Canadian businesses known to have been affected include Millers Auto Recycling in Fort Erie, Ontario and Marks Parts in Ottawa. Fortunately, these companies were also able to restore access to data.

Other auto recyclers received assistance from the technical departments of Car-Part and Hollander. According to the Automotive Recyclers of Canada, most of the businesses affected by the attack had been

In response to the cyberattack, the executive director of the ARC, Wally Dingman, authored a column discussing the incident for this website.

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.

Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025:

CVE-2024-57727: Multiple path traversal vulnerabilities
CVE-2024-57728: Arbitrary file upload vulnerability
CVE-2024-57726: Privilege escalation vulnerability
DragonForce
DragonForce ransomware is an advanced and competitive ransomware-as-a-service (RaaS) brand that first emerged in mid-2023. As discussed in recent research from Sophos Counter Threat Unit (CTU), DragonForce began efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding model.

Coinciding with this effort to appeal to a wider range of affiliates, DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US.

The incident
Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file. The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients. The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.

One client of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint protection deployed. Through a combination of behavioral and malware detection and blocking by Sophos endpoint protection and MDR actions to shut down attacker access to the network, thwarting the ransomware and double extortion attempt on that customer’s network. However, the MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration. The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment.