The Rise of DragonForce Ransomware: Inside a Managed Service Provider Breach
Overview of the Attack
Recently, cybersecurity experts detailed a significant breach involving DragonForce, a notorious ransomware group that targeted an unnamed Managed Service Provider (MSP) utilizing SimpleHelp remote monitoring and management (RMM) tools. This breach allowed hackers to not only exfiltrate sensitive data but also deploy ransomware across multiple endpoints.
Exploiting Vulnerabilities in SimpleHelp
According to a report by Sophos, the attackers exploited three critical vulnerabilities in SimpleHelp, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. These flaws were disclosed in January 2025 and formed the basis for the unauthorized access to the MSP’s systems. The incident came to light after an unusual installation of a SimpleHelp file was detected being pushed through the MSP’s legitimate RMM instance.
Data Collection and Impact on Customers
Once inside the MSP’s network, the threat actors exploited their access to gather valuable information from various customer environments. This included details about device names, configuration settings, users, and network connections. While one client managed to cut off the attackers’ access, several others experienced severe consequences, including data theft and ransomware deployment, which escalated to double-extortion schemes.
The Evolution of Ransomware Strategies
The DragonForce group has been adapting its strategies to enhance profitability, establishing itself as a key player where affiliate actors in cybercrime are concerned. This shift represents a broader trend where ransomware groups are increasingly modularizing their operations, allowing affiliates to launch their own ransomware under varying brands.
Recent patterns point to an evolving landscape within ransomware operations, with DragonForce emerging during a period marked by disruption among other groups, such as BlackLock and Mamona. Following the downfall of LockBit and BlackCat, DragonForce seems poised to capitalize on the chaos, contributing to a "hostile takeover" dynamic within the ecosystem.
Targeting the UK Retail Sector
A series of attacks attributed to DragonForce in the UK retail sector has raised alarm. These incidents prompted several companies to temporarily shut down IT systems to mitigate risks. Cyberint has reported that while DragonForce has claimed responsibility for the extortion and leaks, there are indications that another entity, Scattered Spider, may have facilitated these operations.
The Role of Scattered Spider
Scattered Spider, part of a loosely affiliated collective referred to as The Com, has become a subject of interest due to its methodologies in cloud-centric and identity-focused intrusions. Despite ongoing investigations and arrests of some alleged group members in 2024, details about how individuals, particularly younger recruits from the UK and the US, are drawn into this criminal network remain murky.
Fragmentation and Competition Among Ransomware Groups
The findings highlight an increasingly volatile landscape where ransomware factions are showing signs of decentralization and competition for talent. As the use of artificial intelligence (AI) in malware code develops, the ramifications for both security professionals and businesses are significant.
Aiden Sinnott from Sophos has noted the proactive measures DragonForce adopts, pointing out that this group is more than just a conventional ransomware brand; it’s reshaping the ransomware sphere. With its recent claims to fame through high-profile UK attacks, it emphasizes an ongoing struggle for dominance among ransomware groups following the takedown of LockBit.
LockBit’s Ongoing Challenges
LockBit, which suffered a major blow to its operations during an international law enforcement initiative dubbed Operation Cronos in early 2024, has faced challenges in regaining its foothold. Although the group has made attempts to restore its activities, they encountered setbacks with the defacement of their dark web affiliate panels, revealing significant negotiation records and ransomware development insights.
New Techniques in Ransomware Attacks
Additionally, attack methods have begun evolving. Groups such as 3AM ransomware employ sophisticated techniques that blend email bombing with vishing tactics to infiltrate company networks. By posing as authentic tech support, they successfully deceive employees into granting remote access. This initial foothold then allows hackers to introduce more malicious payloads, including backdoors like QDoor.
Recommendations for Enhanced Cybersecurity
To mitigate such risks, cybersecurity experts recommend heightened employee awareness and strict limitations on remote access permissions. Organizations should implement policies to block the execution of unauthorized software, particularly virtual machines and RMM tools, outside designated systems. Furthermore, restricting network traffic associated with remote control applications can enhance security.
As the ransomware landscape continues to evolve, staying informed and implementing proactive security measures remains essential for businesses to safeguard their data and systems against these persistent threats.
