- Sophos Spots Dragonforce Ransomware Attack Take advantage of three errors
- Fallas were found on the SMM Simplehelp platform
- The victim was an important provider of administered services (MSP)
The Dragonforce Ransomware Group is chaining multiple vulnerabilities of simplehelp to rape systems, stealing confidential files and implementing an encryption, experts have warned.
In a blog post, Sofos MDR researchers noticed that they were alerted to the incident when a “suspicious installation” of a single -sized installer file was detected in the system of an administered service provider (MSP) system.
That supplier ended up suffering a ransomware infection, but one of its clients enrolled in the company’s MDR and had the final point protection XDR deployed, alerting the researchers.
White Tag Model
Simplehelp is an autosted remote support and remote access software. In January 2025, it was discovered that it had three vulnerabilities: a transverse multiple route failure (CVE-2024-57727), a vulnerability of arbitrary file load (CVE-2024-57728) and a privileged escalation failure (CVE-2024-57726).
Now, Sophos says that Dragonforce computer pirates are chaining these three to implement ransomware.
“The installer was pushed through a legitimate instance of Singhelp RMM, housed and operated by the MSP for its customers,” the researchers explained.
“The attacker also used his access through the RMM instance of the MSP to collect information on multiple customer properties administered by the MSP, including the collection of device and configuration names, users and network connections.”
Sofos did not appoint the victim, nor the third who successfully frustrated the attack.
Dragonforce has been quite active in recent times. At the end of April 2025, it was reported that the group had introduced a new business model in the Ransomware scene, one that involves cooperating with other gangs.
Apparently, the group was seen offering a white label affiliate model, allowing others to use their infrastructure and malware while setting attacks under their own name.
With this model, affiliates will not need to manage infrastructure and dragonforce will be in charge of negotiation sites, malware development and data leakage sites.
