In a recent surge of sophisticated cyberattacks, the DragonForce ransomware group has exploited critical vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) tool, to infiltrate an unnamed Managed Service Provider (MSP) and deploy ransomware across multiple customer environments.
According to cybersecurity firm Sophos, the attackers leveraged three newly disclosed vulnerabilities—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—first revealed in January 2025. These flaws allowed DragonForce to compromise the MSP’s SimpleHelp infrastructure, enabling unauthorized access to downstream client systems.
Sophos became aware of the breach after detecting suspicious activity involving the installation of a SimpleHelp executable file. The malware was distributed via the MSP’s legitimate RMM platform, a tactic that highlights the growing abuse of trusted third-party tools in supply chain attacks.
Once inside the network, DragonForce operatives conducted extensive reconnaissance, harvesting data related to device configurations, user accounts, and network architecture. Despite one client’s successful containment efforts, several others suffered significant data breaches and were subsequently hit with ransomware payloads—escalating to double extortion scenarios.
This supply chain compromise underscores DragonForce’s evolving tactics and its positioning as a high-value affiliate-based ransomware operation. The group has recently shifted towards a “ransomware-as-a-cartel” model, empowering affiliates to deploy rebranded versions of its locker malware and fueling rapid expansion within the cybercriminal ecosystem.
Simultaneously, other ransomware actors—including the 3AM group—have adopted a hybrid strategy combining vishing (voice phishing) and email bombing to impersonate technical support personnel. These social engineering methods have proven effective in tricking employees into granting remote access via Microsoft Quick Assist, ultimately allowing attackers to plant persistent backdoors like QDoor.
Notably, QDoor has also been observed in campaigns linked to BlackSuit and Lynx ransomware, reflecting a growing trend of stealthy network infiltration prior to ransomware deployment. Although the DragonForce attack was intercepted before full-scale encryption occurred, the adversaries maintained covert access for nine days, during which they exfiltrated sensitive data.
“The combined use of email bombing and vishing remains a highly effective ransomware delivery method,” said Sean Gallagher, Principal Threat Researcher at Sophos. “Organizations must bolster employee awareness and enforce strict controls on remote access tools. This includes disabling unnecessary virtualization software and restricting remote management capabilities to designated systems only.”
Further complicating the ransomware landscape is the emergence of new rivalries. The rise of DragonForce coincides with the defacement of leak sites tied to BlackLock and Mamona, and a suspected hostile takeover of the infamous RansomHub group—events that point to intensifying competition among cybercriminal factions following the takedowns of LockBit and BlackCat in 2024.
Recent attacks targeting the U.K. retail sector have drawn renewed attention to DragonForce. While the group has claimed responsibility for extortion and data leaks, security researchers at Cyberint suggest that Scattered Spider, a cloud-centric access broker, may have facilitated initial compromise. Known for its identity-driven intrusion techniques, Scattered Spider is believed to be collaborating within the DragonForce affiliate ecosystem.
Despite arrests of several Scattered Spider members last year, the group’s structure remains elusive. Its integration into The Com, a loosely organized cybercrime syndicate, illustrates the decentralization and fluidity of modern ransomware operations. These groups are increasingly leveraging AI-driven tools for malware development, phishing automation, and attack scaling—further complicating defense efforts.
“DragonForce is more than just a ransomware operation—it’s a disruptive force aiming to reshape the entire threat landscape,” said Aiden Sinnott, Senior Threat Researcher at Sophos. “Its recent surge in high-profile attacks and strategic positioning reflect a deeper battle for dominance among e-crime syndicates.”
The ongoing volatility also traces back to LockBit, once the most prolific ransomware group until Operation Cronos dismantled its infrastructure in early 2024. Although LockBit briefly regained traction, a recent data leak exposed its dark web panels, ransomware builds, and internal chat logs—dealing a major blow to its credibility.
A deep dive by Ontinue into these leaks revealed meticulous affiliate management practices, personalized attack kits, and detailed ransom negotiations—providing rare insights into the operational discipline of ransomware cartels.
Key Takeaways for Cybersecurity Teams:
- Patch SimpleHelp and other RMM tools immediately to address CVE-2024-57726/27/28.
- Educate employees on vishing and social engineering tactics, especially those mimicking IT support.
- Restrict remote access tools to essential systems and users only.
- Monitor for anomalous installations and outbound connections from RMM platforms.
- Recognize the strategic shift in ransomware—cartels like DragonForce now offer turnkey solutions to affiliates, significantly expanding the attack surface.
Stay informed: Follow us on LinkedIn and Instagram for more real-time cybersecurity updates, threat intelligence, and analysis on evolving ransomware tactics.
Leave a Reply