Do Son 
Operators of the DragonForce ransomware have targeted a managed service provider (MSP), exploiting its remote administration platform, SimpleHelp, to exfiltrate data and deploy encryptors across client systems. According to Sophos, which investigated the breach, the attackers leveraged a trio of known vulnerabilities in SimpleHelp—identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to infiltrate the system.
SimpleHelp is a commercial remote support and management tool widely employed by MSPs to maintain their clients’ IT infrastructure. In the course of the attack, the perpetrators conducted initial reconnaissance, gathering intelligence on client organizations, including device names, configurations, user credentials, and network connections. Following this, they proceeded to data theft and ransomware deployment, using SimpleHelp as a conduit.
Sophos managed to thwart the intrusion on one client’s network. However, other MSP customers were not as fortunate — their systems were successfully encrypted and data exfiltrated, enabling the attackers to initiate a double extortion scheme: demanding ransom both for decryption and for withholding public disclosure of the stolen information. To assist other organizations in defending against similar threats, Sophos published indicators of compromise (IoCs) associated with the campaign.
This incident once again underscores the vulnerability of MSPs as high-value targets in the threat landscape. Ransomware groups have long prioritized such entities, knowing that a single breach can grant access to dozens — or even hundreds — of downstream victims. Certain affiliates within cybercriminal ecosystems have even specialized in exploiting widely used MSP tools, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya.
One of the most notorious examples remains the widespread REvil attack on Kaseya’s infrastructure in 2021, the fallout of which affected over a thousand organizations worldwide.
DragonForce, the group behind this latest breach, has been steadily expanding its presence. It previously garnered attention following high-profile attacks on British retailers Marks & Spencer and Co-op. Those incidents mirrored techniques used by the Scattered Spider group, combining corporate administrative tools with social engineering tactics. In the Co-op breach, the personal data of a significant number of customers was compromised.
With a growing roster of victims and a flexible propagation model, DragonForce continues to bolster its stature within the cybercriminal underworld. The group offers a so-called white-label RaaS (ransomware-as-a-service) platform, allowing affiliates to deploy its encryptor under their own branding. This approach significantly enhances the appeal of the operation to partners and poses an ever-expanding threat of large-scale attacks.
Donate