
Uptick in Bomgar RMM Exploitation
A surge in attacks leveraging compromised Bomgar Remote Monitoring and Management (RMM) instances to deploy ransomware, establish persistence, and conduct network reconnaissance. Threat actors exploit CVE-2026-1731 to gain initial access, then pivot to downstream customers, particularly Managed Service Providers (MSPs), for mass compromise
Notes
<span id="docs-internal-guid-f91782f4-7fff-1557-d4fc-98a6c2f7ebdc"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION<br></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">LockBit 3.0 affiliates have demonstrated strategic adaptability by rapidly weaponizing leaked ransomware builders and exploiting supply chain vulnerabilities in Bomgar RMM to target downstream customers, particularly MSPs. This campaign highlights the evolving threat of RMM exploitation as a preferred initial access vector for ransomware operators, with actors leveraging domain-wide persistence to maximize impact. The dental software and MSP sectors in the United States have borne the brunt of these attacks, suffering mass compromises and ransomware deployments that disrupted operations and exposed sensitive data. To mitigate this risk, organizations must prioritize patch management for CVE-2026-1731 and implement rigorous auditing of RMM tools and privileged accounts. SOCRadar’s IOC Radar can help identify and block these indicators across global threat feeds, while Dark Web Monitoring can detect credential exposures tied to compromised RMM instances. Cyber Threat Intelligence tracking of LockBit 3.0 affiliates’ TTPs will enable proactive detection of similar campaigns, and Brand Protection can identify phishing domains mimicking legitimate RMM providers. Finally, Attack Surface Management should be deployed to continuously monitor for exposed Bomgar instances and other RMM tools in your environment.</span></div><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-73dbd300-7fff-fbb9-67f4-fd0b9490cde8"><div style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION </span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(26, 102, 204); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">REF</a></span></div><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;table-layout:fixed;width:468pt;"><colgroup><col><col><col><col></colgroup><tbody><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#264059;padding:6pt 8pt 6pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#264059;padding:6pt 8pt 6pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ID</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#264059;padding:6pt 8pt 6pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#264059;padding:6pt 8pt 6pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Procedure</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1133</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">External Remote Services</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Threat actors exDetection IDplDetection NameoiTechnique DetectedteAnalyticsd DescriptionCVLog SourcesE-2DET000102Suspicious Bomgar RMM Process Execution from Unusual Paths6-T1133 - External Remote Services17AN0001,AN000231Detects execution of bomgar-scc.exe or related processes from non-standard directories (e.g., PerfLogs) or unusual parent processes. Correlates with version checks to identify outdated, vulnerable Bomgar instances. Malicious behavior includes remote shell sessions initiating lateral movement or ransomware deployment. iSysmon EventCode 1, Windows Security Event Log 4688, Bomgar RMM Audit Logsn oDET0002utUnauthorized Local/Domain Admin Account CreationdaT1098 - Account ManipulationteAN0003,AN0004d Alerts on creation of new local or domain administrator accounts, particularly those with weak or reused passwords (e.g., Adminpwd123.1, 123123qwEqwE). Correlates with account logon events and privilege escalation logs to identify persistence mechanisms.BoWindows Security Event Log 4720, 4722, 4732, 4740, Active Directory Audit LogsmgaDET0003r EDR Termination via Suspicious Driver DeploymentRMT1562.001 - Disable or Modify System FirewallM AN0005,AN0006inDetects deployment of unsigned or suspicious drivers (PoisonX.sys, hrwfpdrv.sys) known to terminate EDR agents. Correlates with driver load events and EDR agent failure logs to identify BYOVD attacks.stSysmon EventCode 6, Windows System Event Log 6005, EDR Agent LogsancDET0004esRemote Access Tool Installation via RMM Session tT1219 - Remote Access Softwareo AN0007,AN0008gaAlerts on installation of remote access tools (AnyDesk, Atera, ScreenConnect) initiated from Bomgar RMM sessions. Correlates with process execution logs and network connections to identify unauthorized persistence mechanisms.inSysmon EventCode 1, Windows Security Event Log 4688, Network Connection Logs unDET0005auDomain Admin Privilege Escalation via RMM ExploitationthT1068 - Exploitation for Privilege EscalationenAN0009,AN0010tiDetects rapid privilege escalation from local admin to domain admin following Bomgar RMM exploitation. Correlates with group membership changes (4728, 4732) and command-line execution logs to identify malicious domain-wide control attempts.caWindows Security Event Log 4728, 4732, 4688, Bomgar RMM Audit LogstedDET0006 rNetwork Enumeration and Reconnaissance via RMMemT1082 - System Information DiscoveryotAN0011,AN0012e Alerts on execution of network enumeration tools (NetScan, nltest.exe) from Bomgar RMM sessions. Correlates with process execution and network connection logs to identify malicious reconnaissance activities.coSysmon EventCode 1, Windows Security Event Log 4688, Network Connection Logsde DET0007exRansomware Deployment via Compromised RMM SessionecT1486 - Data Encrypted for ImpactutAN0013,AN0014ioDetects execution of ransomware binaries (LB3.exe) initiated from Bomgar RMM sessions. Correlates with file encryption events, ransom note drops, and lateral movement patterns to identify active ransomware campaigns.n Sysmon EventCode 1, 11, 23, Windows Security Event Log 4663, EDR Agent Logsand initial access to victim environments.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1098</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Account Manipulation</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Actors added local and domain administrator accounts (e.g., Adminpwd123.1, WDAGUtilityAccount) for persistent backdoor access across compromised networks.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1562.001</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Disable or Modify System Firewall</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Threat actors deployed suspicious drivers (PoisonX.sys, hrwfpdrv.sys) to terminate EDR agents and disable security tooling, enabling unobstructed persistence.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1219</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remote Access Software</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Actors installed legitimate remote access tools (AnyDesk, Atera, ScreenConnect) via compromised Bomgar RMM sessions to maintain persistent access.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privilege Escalation</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1068</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exploitation for Privilege Escalation</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">After gaining initial access, actors exploited Bomgar’s vulnerability to escalate privileges from local admin to domain admin, achieving domain-wide control.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Discovery</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1082</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">System Information Discovery</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Threat actors performed domain reconnaissance using nltest.exe and network enumeration via NetScan to map victim environments and identify high-value targets.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Impact</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1486</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Data Encrypted for Impact</span></p></td><td style="border-left:solid #000000 1pt;border-right:solid #000000 1pt;border-bottom:solid #000000 1pt;border-top:solid #000000 1pt;vertical-align:top;background-color:#efefef;padding:5pt 7pt 5pt 7pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Actors deployed LockBit ransomware (LB3.exe) via compromised Bomgar RMM sessions, encrypting endpoints and demanding ransom payments.</span></p></td></tr></tbody></table></div></span>