Attackers hit MSP, use its RMM software to deliver ransomware to clients

A threat actor wielding the DragonForce ransomware has compromised an unnamed managed service provider (MSP) and pushed the malware onto its client organizations via SimpleHelp, a legitimate remote monitoring and management (RMM) tool.

“Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025,” the company’s incident responders shared on Tuesday.

The vulnerabilities in question are CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726, which can be used to compromise SimpleHelp server instances and, through them, push malicious payloads to machines with the client software installed.

Earlier this year, the vulnerabilities have been exploited by ransomware attackers to target healthcare organizations.

Spotting the attack

“Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file. The installer was pushed via a legitimate SimpleHelp RMM [server] instance, hosted and operated by the MSP for their clients,” the incident responders said.

“The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.”

One of the MSP’s clients is also a Sophos client, and the company’s software and detection and response professionals shut down the attackers’ access to the client’s network before they were able to deploy the ransomware.

“The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment,” they added, and shared indicators of compromise related to this attack.

Who are DragonForce?

In the wake of the recent destructive attacks against UK retailers, DragonForce has become a familiar name.

DragonForce is a Ransomware-as-a-Service “cartel” that provides its affiliates with the DragonForce ransomware, and the infrastructure, tools and services needed to deploy it, but also allows them to use their own ransomware.

This setup makes attack attribution harder than it used to be. In the aforementioned attacks against UK retailers, for example, the attackers used social engineering tactics made infamous by the Scattered Spider group/collective but used the DragonForce ransomware and name.

The advent of the RaaS model has led to most ransomware attacks effectively involving the main RaaS group and its affiliate, though the involvement of the former can be minimal or substantial, depending on the services they provide to affiliates (e.g., help with ransomware deployment or ransom negotiation).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!