DragonForce Attacks MSPs

Summary

DragonForce ransomware exploited SimpleHelp RMM software vulnerabilities to attack an MSP and its customers. The attackers exfiltrated data and deployed ransomware, using double extortion tactics. This highlights the risk of supply chain attacks targeting MSPs and the importance of robust security measures.

Explore the data solution with built-in protection against ransomware TrueNAS.

Main Story

DragonForce ransomware has launched a sophisticated supply chain attack against a Managed Service Provider (MSP), compromising its SimpleHelp remote monitoring and management (RMM) software and impacting numerous downstream customers. The attackers exploited known vulnerabilities in SimpleHelp to gain access, then exfiltrated sensitive data and deployed ransomware across multiple endpoints. This incident underscores the growing threat of ransomware cartels like DragonForce and their innovative affiliate models.

The Attack Methodology

The attackers exploited three specific vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) in SimpleHelp, which were disclosed in January 2025. These vulnerabilities allowed path traversal, arbitrary file uploads, and privilege escalation. The attackers leveraged these chained exploits to gain full control of the MSP’s SimpleHelp RMM instance. From there, they pushed out a malicious SimpleHelp installer file to the MSP’s clients, masquerading as a legitimate update. This allowed the attackers to gain a foothold in client networks, collect sensitive data, including device configurations, user information, and network details, and ultimately deploy the DragonForce ransomware. This double extortion tactic—data exfiltration combined with ransomware deployment—increases pressure on victims to pay the ransom.

DragonForce: A Rising Threat

DragonForce ransomware has rapidly become a prominent player in the cybercrime landscape. Initially emerging in mid-2023, it has recently transitioned to a “cartel” model, offering a white-label ransomware-as-a-service (RaaS). This affiliate model allows other cybercriminals to use DragonForce’s infrastructure and tools to deploy their own branded versions of the ransomware, expanding the group’s reach and impact. The group gained notoriety following attacks on major UK retailers, including Marks & Spencer and Co-op, where significant amounts of customer data were stolen. DragonForce’s hostile takeover of RansomHub, a prolific ransomware group, further cemented its position in the cybercriminal underworld.

Impact and Response

While one of the MSP’s clients, protected by Sophos MDR and endpoint protection, successfully thwarted the attack, other clients suffered data exfiltration and ransomware deployment. The incident highlights the critical importance of robust security measures, including up-to-date patching, advanced threat detection, and incident response capabilities. MSPs, as trusted providers with access to numerous client networks, are particularly attractive targets for supply chain attacks. This incident serves as a wake-up call for MSPs and their clients to bolster their security posture.

The Larger Implications

This incident has significant implications for the broader cybersecurity landscape:

• Supply Chain Risk: It underscores the increasing risk of supply chain attacks targeting MSPs, which can have a cascading effect on numerous downstream organizations.
• RaaS Model: The success of DragonForce’s RaaS model demonstrates the growing trend of sophisticated, organized cybercrime operations.
• Trust and Security: The exploitation of a legitimate RMM tool like SimpleHelp erodes trust in security software and emphasizes the need for continuous vigilance.
• MSP Security: It highlights the crucial role of MSPs in ensuring their own security as well as the security of their clients.

This attack serves as a stark reminder that cybersecurity is an ongoing battle. As ransomware groups like DragonForce evolve and refine their tactics, organizations must remain proactive in implementing robust security measures and staying informed about emerging threats. As of today, May 31st, 2025, this is the current understanding of the DragonForce ransomware attack on MSPs through SimpleHelp. Future developments may change this assessment.