- Sophos sees Dragonforce Ransomware Attack that utilizes three bugs
- The deficiencies were found in SimpleHelp SMM platform
- The victim was a larger administered service provider (MSP)
The Dragonforce Ransomware group links several simpleHelp waistbands to violate systems, steal sensitive files and implement an encryption, experts have warned.
In a blog post, Sophos MDR scientists noticed that they were warned of the incident when a “suspicious installation” of a simple help installation file was discovered on the system of an administered service provider (MSP).
This provider ended up suffering a ransomware infection, but one of its clients was signed up for the company’s MDR and had XDR Endpoint protection implemented, which warned the researchers.
White label model
SimpleHelp is a self -hosted remote support and remote access software. In January 2025, it was found to carry three vulnerabilities: a multiple path review error (CVE-2024-57727), an arbitrary file upload vulnerability (CVE-2024-57728) and a privilege scaling error (CVE-2024-57726).
Now Sophos says Dragonforce hackers are linking these three to implement ransomware.
“The installation program was pushed via a legitimate simple Help RMM base that was hosted and operated by MSP for their clients,” the researchers explained.
“The striker also used their access through the MSP’s RMM occurrence to collect information about several customer housing managed by MSP, including collection of device names and configuration, users and network connections.”
Sophos did not name the victim, or third party who successfully averted the attack.
Dragonforce has been pretty active in recent times. At the end of April 2025, it was reported that the group had introduced a new business model to the Ransomware scene, one involving collaboration with other gangs.
Apparently, the group was seen offering a white -labeled associated model that allowed others to use their infrastructure and malware while the branding attacks under their own name.
With this model, associated companies do not have to manage the infrastructure, and Dragonforce will take care of negotiating sites, malware development and data leakage -web site.
