196/68 Thursday, May 29, 2025
The ransomware group DragonForce has been identified as the actor behind a series of supply chain attacks targeting Managed Service Providers (MSPs). The attackers exploited vulnerabilities in SimpleHelp, a widely used Remote Monitoring and Management (RMM) platform, to breach MSP networks, conduct reconnaissance on client environments, exfiltrate sensitive data, and deploy ransomware encryptors across multiple endpoints.
According to an investigation by Sophos, the threat actors leveraged known vulnerabilities—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to gain unauthorized access to the MSP systems. Once inside, they utilized the compromised RMM tools to scan customer networks, gathering metadata such as device names, configurations, user accounts, and connection details. Following data theft, the attackers deployed encryptors to client machines in an attempt to lock systems and initiate double extortion tactics. While Sophos Endpoint was able to block some attacks, other clients suffered significant damage and data encryption.
DragonForce has drawn increasing attention due to its involvement in high-profile breaches in the UK, including attacks on Marks & Spencer and Co-op, where large volumes of customer data were confirmed stolen. The group is also reportedly evolving into a white-label Ransomware-as-a-Service (RaaS) operation, allowing affiliates to use their encryptors under different branding. This strategic shift, combined with their supply chain attack model, positions DragonForce as a significant threat in the ransomware ecosystem, capable of breaching multiple organizations through a single compromised service provider.
