• Cyber Syrup
  • Posts
  • DragonForce Ransomware Hits Managed Service Provider via RMM Exploits

DragonForce Ransomware Hits Managed Service Provider via RMM Exploits

Cybersecurity researchers have identified a supply chain ransomware attack orchestrated by the DragonForce ransomware group

May 30, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

DragonForce Ransomware Hits Managed Service Provider via RMM Exploits

Cybersecurity researchers have identified a supply chain ransomware attack orchestrated by the DragonForce ransomware group, in which attackers gained access to a Managed Service Provider’s (MSP) remote monitoring and management (RMM) platform, SimpleHelp, and used it to infiltrate multiple customer networks.

According to an analysis by Sophos, the attackers exploited three recently disclosed vulnerabilities in SimpleHelp—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to access the MSP’s environment, exfiltrate sensitive data, and deploy ransomware across customer systems.

Attack Chain Breakdown

Exploitation of RMM Vulnerabilities

The initial breach began with exploitation of flaws in SimpleHelp RMM, a tool that allows MSPs to manage remote endpoints. Once inside, the attackers pushed a malicious installer via the MSP's own SimpleHelp instance, using it as a trusted channel to propagate ransomware.

“This was not a broad phishing or brute-force campaign—this was a surgical strike that leveraged the trusted relationship between MSPs and their clients,” said Sophos researchers.

Lateral Movement and Reconnaissance

With access to the RMM, DragonForce actors moved laterally, collecting metadata on devices, configurations, users, and network connections. This allowed them to map out environments and identify high-value targets.

Although one customer managed to sever attacker access in time, others suffered from data theft, ransomware encryption, and subsequent double-extortion tactics.

The Rise of DragonForce and Its Ransomware Cartel Model

DragonForce has evolved into a ransomware cartel, allowing affiliates to rebrand and deploy customized lockers, which has significantly broadened their operational reach.

Recent intelligence links DragonForce to:

  • Defacement campaigns targeting rival ransomware groups (e.g., BlackLock and Mamona)

  • A possible takeover of RansomHub, a group that gained traction after the takedowns of LockBit and BlackCat

These developments signal a power shift within the ransomware ecosystem, with DragonForce aiming to become a dominant force following the vacuum left by LockBit.

Possible Collaboration with Scattered Spider

Cyberint has suggested that Scattered Spider, a sophisticated access broker group, may be enabling some DragonForce operations. Known for its cloud-first and identity-centric intrusion methods, Scattered Spider could be offering initial access or tooling support under the cartel’s affiliate program.

Despite several arrests in 2024, Scattered Spider remains active and elusive, linked to a broader underground collective known as The Com, which has recruited young actors from the U.K. and the U.S.

Ecosystem Volatility and Growing Threat Sophistication

This campaign highlights the fragmentation of the ransomware landscape:

  • Decentralized affiliate networks

  • Low loyalty among threat actors

  • Rapid tooling innovations, including the use of AI in malware development

“DragonForce is not just another ransomware brand—it’s a destabilizing force trying to reshape the ransomware landscape,” said Aiden Sinnott, senior threat researcher at Sophos.

3AM Ransomware and Social Engineering Tactics

Parallel campaigns by other ransomware groups like 3AM further demonstrate the growing use of social engineering:

  • Email bombing and vishing are used to impersonate IT support

  • Attackers use Microsoft Quick Assist to gain remote access

  • They install QDoor, a stealthy network tunneling backdoor previously linked to Blacksuit and Lynx ransomware

These techniques allow attackers to maintain persistence while avoiding detection by traditional security tools.

Defensive Recommendations

To protect against this growing wave of RMM-based and socially engineered attacks, organizations should:

  • Monitor RMM tools closely for unauthorized actions

  • Segment network access for MSP tools and remote services

  • Educate employees about phishing, vishing, and impersonation techniques

  • Block unnecessary remote access tools, and limit virtual machine execution

  • Restrict network traffic associated with remote control applications to whitelisted systems

“Companies must prioritize remote access security and employee awareness,” said Sean Gallagher of Sophos. “Simple missteps—like allowing remote desktop tools on endpoints—can give attackers the keys to the kingdom.”

Conclusion

The DragonForce attack demonstrates the growing complexity of ransomware campaigns, where supply chain vulnerabilities, affiliate-based business models, and stealthy post-exploitation tactics converge. As threat actors become more agile and collaborative, defenders must focus on early detection, network segmentation, and hardened remote access policies to mitigate risks in this evolving threat landscape.