Ransomware Attack: MSP's RMM Tool Abused to Spread DragonForce

In a recent targeted cyberattack, a threat actor compromised the remote monitoring and management (RMM) infrastructure of a Managed Service Provider (MSP), using it to deploy DragonForce ransomware and exfiltrate sensitive client data. The incident was investigated and mitigated in part by Sophos Managed Detection and Response (MDR).

According to Sophos, the attackers gained control over the MSP’s legitimate SimpleHelp RMM instance and abused it to launch ransomware across multiple customer environments.

“In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints,” the report explains.

Sophos analysts have medium confidence that the attackers exploited a chain of vulnerabilities disclosed in January 2025, which included:

CVE-2024-57726 – Privilege escalation vulnerability
CVE-2024-57727 – Multiple path traversal vulnerabilities
CVE-2024-57728 – Arbitrary file upload vulnerability

These vulnerabilities, if left unpatched, can allow attackers to escalate privileges, bypass access controls, and implant malicious files on vulnerable systems — all tactics observed in the attack.

The ransomware used in this attack, DragonForce, is a notable Ransomware-as-a-Service (RaaS) operation that first appeared in mid-2023. According to Sophos Counter Threat Unit (CTU) research, DragonForce has since rebranded itself as a “cartel” in a bid to attract more affiliates.

“DragonForce recently garnered attention… for claiming to ‘take over’ the infrastructure of RansomHub,” notes the report, also mentioning links to Scattered Spider (UNC3944) — a known ransomware affiliate responsible for high-profile retail attacks.

Sophos has made IoCs from the DragonForce attack publicly available for threat hunters and security professionals.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply