- Sophos spots DragonForce ransomware attack leveraging three bugs
- The flaws were found in SimpleHelp SMM platform
- The victim was a major managed service provider (MSP)
The DragonForce ransomware group is chaining multiple SimpleHelp vulnerabilities to breach systems, steal sensitive files, and deploy an encryptor, experts have warned.
In a blog post, Sophos MDR researchers noted they were alerted to the incident when a “suspicious installation” of a SimpleHelp installer file was spotted on the system of a Managed Service Provider (MSP).
That provider ended up suffering a ransomware infection, but one of its clients was enrolled with the company’s MDR and had XDR endpoint protection deployed, alerting the researchers.
White label model
SimpleHelp is a self-hosted remote support and remote access software. In January 2025, it was found to be carrying three vulnerabilities: a multiple path traversal flaw (CVE-2024-57727), an arbitrary file upload vulnerability (CVE-2024-57728), and a privilege escalation flaw (CVE-2024-57726).
Now, Sophos says DragonForce hackers are chaining these three to deploy the ransomware.
“The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients,” the researchers explained.
“The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.”
Sophos did not name the victim, or the third party that successfully thwarted the attack.
DragonForce has been rather active in recent times. In late April 2025, it was reported the group had introduced a new business model to the ransomware scene, one which involves cooperating with other gangs.
Apparently, the group was seen offering a white-label affiliate model, allowing others to use their infrastructure and malware while branding attacks under their own name.
With this model, affiliates won’t need to manage the infrastructure and DragonForce will take care of negotiation sites, malware development and data leak sites.
Leave a comment