- Sophos DragonForce Ransomware Attack Dragonforce by taking advantage of three bugs
- The faults were found in the SMM Simplehelp platform
- The victim was an important managed service provider (MSP)
The Ransomware DragonForce group is chaining several Simplehelp vulnerabilities to violation systems, stealing sensitive files and deploying a encryptor, the experts warned.
In a blog article, Sophos MDR researchers noted that they had been alerted to the incident when a “suspicious installation” of a simplehelp installation file was spotted on the system of a managed service provider (MSP).
This supplier ended up suffering from ransomware infection, but one of its customers was enrolled in the company’s MDR and had the protection of XDR termination points deployed, alerting the researchers.
White label model
Simplehelp is a remote support and self-heberged distance access software. In January 2025, he proved to be transporting three vulnerabilities: a multiple path crossing flaw (CVE-2024-57727), a vulnerability to download arbitrary files (CVE-2024-57728), and a privilege climbing flaw (CVE-2024-57726).
Now Sophos says that DragonForce Hackers continues these three to deploy ransomware.
“The installation program has been pushed via a single -chief RMM legitimate body, hosted and operated by the MSP for their customers,” said the researchers.
“The attacker also used his access via the RMM body of the MSP to collect information on several customer areas managed by the MSP, including the collection of devices of devices and configuration, users and network connections.”
Sophos did not appoint the victim or the third party who managed to thwart the attack.
Dragonforce has been quite active lately. At the end of April 2025, it was reported that the group had introduced a new commercial model on the Ransomware scene, which involved cooperating with other gangs.
Apparently, the group was seen offering a white label affiliation model, allowing others to use their infrastructure and malicious software while marking attacks under their own name.
With this model, affiliates will not need to manage the infrastructure and DragonForce will take care of negotiation sites, the development of malware and data leakage sites.
