The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider’s (MSP) SimpleHelp remote monitoring and management (RMM) tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints.
It’s believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were disclosed in January 2025 to access the MSP’s SimpleHelp deployment, according to an analysis from Sophos.
The cybersecurity company said it was alerted to the incident following a suspicious installation of a SimpleHelp installer file, pushed via a legitimate SimpleHelp RMM instance that’s hosted and operated by the MSP for their customers.
The threat actors have also been found to leverage their access through the MSP’s RMM instance to collect information from different customer environments about device names and configuration, users, and network connections.
Although one of the MSP’s clients was able to shut down attackers’ access to the network, a number of other downstream customers were impacted by data theft and ransomware, eventually paving the way for double-extortion attacks.
The MSP supply chain attack sheds light on the evolving tradecraft of a group that has positioned itself as one of the most lucrative options for affiliate actors in the world of cybercrime by offering a favorable profit share.
DragonForce, in recent months, has gained traction for its revamp to a ransomware “cartel” and its pivot to a novel affiliate branding model that allows other cybercriminals to spawn their own versions of the locker under different names.
The emergence of the cartel coincided with the defacements of leak sites operated by BlackLock and Mamona ransomware groups, and what appears to be a “hostile takeover” of RansomHub, a prolific e-crime crew that took off post the demise of LockBit and BlackCat last year.
A string of attacks targeting the U.K. retail sector since late last month has brought more spotlight on the threat actor. The attacks, per BBC, have caused affected companies to shut down parts of their IT systems.
“While DragonForce took credit for the extortion and data leak phase, growing evidence suggests that another group – Scattered Spider – may have played a foundational role in enabling those attacks,” Cyberint said. “Known for its cloud-first, identity-centric intrusion methods, Scattered Spider is emerging as a likely access broker or collaborator within the DragonForce affiliate model.”
Scattered Spider, which itself is part of a larger loose-knit collective known as The Com, has remained something of a mystery despite arrests of alleged members in 2024, revealing little about its tradecraft when it comes to how youngsters from the U.K. and the U.S. are recruited into the criminal network.
These findings point to a volatile landscape where ransomware groups are increasingly fragmenting, decentralizing, and battling low affiliate loyalty. Adding to the concern is the growing use of artificial intelligence (AI) in malware development and campaign scaling.
“DragonForce is not just another ransomware brand – it’s a destabilizing force trying to reshape the ransomware landscape,” Aiden Sinnott, senior threat researcher at Sophos Counter Threat Unit, said.
“While in the U.K., the group has dominated recent headlines after high-profile attacks on retailers, behind the scenes of the ransomware ecosystem there seems to be some jostling between it and e-crime groups such as RansomHub. As the ecosystem continues to quickly evolve after the takedown of LockBit, this ‘turf war’ highlights the efforts of this group, in particular, to claim dominance.”
LockBit was the most prolific ransomware group until February 2024, when it suffered a major setback to its criminal enterprise after its infrastructure was dismantled as part of an international law enforcement action called Operation Cronos.
Although the group managed to rebuild and resume its activities to some extent, it was dealt with another blow earlier this month after its dark web affiliate panels were defaced to include a link to a database dump containing thousands of negotiation chats, custom builds, and its work on a lower-tier LockBit Lite panel.
“From chat logs and ransomware build records, to affiliate configurations and ransom demands, the data shows LockBit are both well organized and methodical,” Ontinue said in an exhaustive writeup of the leak. “Affiliates play a major role in customizing attacks, demanding payment, and negotiating with victims.”
The development comes as attackers from multiple groups, including 3AM ransomware, are using a combination of email bombing and vishing to breach company networks by posing as tech support to deceive employees and social engineer them into granting remote access to their computers using Microsoft Quick Assist.
The initial access is then abused to drop additional payloads, including a network tunneling backdoor called QDoor that allows the attackers to establish a foothold on the network without attracting any attention. It’s worth noting that the backdoor was previously observed in Blacksuit and Lynx ransomware attacks.
Sophos said while the ransomware attack was ultimately thwarted, the attackers managed to steal data and dwell on the network for nine days before attempting to launch the locker.
“The combination of vishing and email bombing continues to be a potent, effective combination for ransomware attackers – and the 3AM ransomware group has now found a way to take advantage of remote encryption to stay out of sight of traditional security software,” Sean Gallagher, principal threat researcher at Sophos, said.
“To stay secure, companies should prioritize employee awareness and strictly limit remote access. This includes using policies to block the execution of virtual machines and remote access software on computers that should not have such software. In addition, companies should block all inbound and outbound network traffic associated with remote control except from the systems designated for remote access.”
