DragonForce Ransomware Exploits SimpleHelp in Managed Service Provider Supply Chain Assault

The DragonForce ransomware operation has successfully infiltrated a managed service provider (MSP) and exploited its SimpleHelp remote monitoring and management (RMM) platform to extract data and deploy encryptors onto the systems of downstream customers.

Sophos conducted an investigation into the incident, concluding that the attackers exploited several known vulnerabilities in SimpleHelp, specifically tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to gain unauthorized access to the system.

SimpleHelp is a widely utilized commercial tool for remote support and access, allowing MSPs to manage systems and deploy software across customer networks effectively.

The investigation report from Sophos indicates that the threat actors initially used SimpleHelp to perform reconnaissance on customer systems, gathering critical information about the MSP’s clientele, including device names, configurations, user details, and network connections.

Subsequent attempts to compromise customer networks involved data theft and the deployment of decryptors; however, Sophos endpoint protection successfully thwarted these efforts on one network. Unfortunately, other clients were not as fortunate, suffering device encryption and data theft, leading to double-extortion scenarios.

To assist organizations in protecting their networks, Sophos has made relevant Indicators of Compromise (IOCs) available, specifically related to this attack.

Managed service providers have increasingly become a focal point for ransomware groups, as a single compromise can have cascading effects on multiple organizations. Various ransomware affiliates have shown a particular interest in tools frequently employed by MSPs, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya.

This trend has resulted in significant incidents, such as the extensive ransomware attack orchestrated by REvil on Kaseya, which adversely affected over 1,000 businesses.

DragonForce’s Rising Profile Following High-Profile Retail Breaches

The DragonForce ransomware group has gained considerable notoriety recently, being connected to a series of high-profile retail breaches leveraging tactics from the Scattered Spider group.

As reported previously, DragonForce’s ransomware was implicated in attacks against major UK retailer Marks & Spencer, followed by another breach involving Co-op, which acknowledged the theft of substantial amounts of customer data.

Furthermore, DragonForce is actively expanding its influence in the ransomware landscape by adopting a white-label ransomware-as-a-service (RaaS) model, enabling affiliates to deploy rebranded versions of its encryption software.

With its increasingly attractive affiliate program and a growing roster of victims, DragonForce is rapidly positioning itself as a significant player in the evolving ransomware domain.