Sophos Managed Detection and Response (MDR) successfully responded to a sophisticated targeted attack orchestrated by threat actors leveraging DragonForce ransomware.
The attackers gained unauthorized access to a Managed Service Provider’s (MSP) remote monitoring and management (RMM) tool, SimpleHelp, using it as a conduit to deploy ransomware across multiple endpoints and exfiltrate sensitive data.
This double extortion tactic, designed to pressure victims into paying ransoms by threatening both encryption and data leaks, underscores the evolving threat landscape facing MSPs and their clients.
Sophos MDR, with medium confidence, attributes the initial compromise to a chain of vulnerabilities disclosed in January 2025, including CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability), which likely formed the attack vector for infiltrating the MSP’s systems.
MSP’s Remote Management Tool
DragonForce ransomware, an advanced Ransomware-as-a-Service (RaaS) brand that surfaced in mid-2023, has rapidly gained notoriety in the cybercrime ecosystem.
According to the Report from Sophos Counter Threat Unit (CTU), DragonForce initiated a rebranding campaign in March to position itself as a “cartel” with a distributed affiliate model, aiming to attract a broader pool of criminal affiliates.
This strategic shift coincided with high-profile moves, including claims of taking over the infrastructure of RansomHub, another prominent ransomware group.
Additionally, reports indicate that well-known affiliates like Scattered Spider (UNC3944), previously associated with RansomHub, have pivoted to DragonForce, targeting major retail chains in the UK and US.
This aggressive expansion highlights DragonForce’s competitive edge and the increasing risk it poses to global organizations, particularly those reliant on third-party service providers like MSPs.
A Growing Threat in the RaaS Ecosystem
The attack unfolded when Sophos MDR detected a suspicious SimpleHelp installer file being deployed through a legitimate RMM instance hosted by the compromised MSP.
Using this access, the threat actors conducted extensive reconnaissance across multiple customer environments managed by the MSP, harvesting critical data such as device names, configurations, user information, and network connections.
This intelligence likely facilitated the subsequent deployment of DragonForce ransomware and data exfiltration efforts.
For one MSP client protected by Sophos MDR and Sophos XDR endpoint solutions, the attack was effectively mitigated through a combination of behavioral and malware detection, alongside swift MDR actions to sever attacker access to the network, preventing both encryption and data theft.
Unfortunately, the MSP itself and other clients without Sophos protections fell victim to the ransomware and data exfiltration, suffering significant operational and financial impact.
Following the breach, the MSP enlisted Sophos Rapid Response for digital forensics and incident response to investigate and remediate the compromise in their environment.
This incident serves as a stark reminder of the critical vulnerabilities in RMM tools, often exploited as entry points by ransomware actors.
MSPs, as custodians of access to numerous client networks, remain prime targets for such attacks.
The exploitation of recently disclosed vulnerabilities further emphasizes the need for timely patching, robust endpoint protection, and continuous monitoring to safeguard against evolving threats like DragonForce.
Sophos MDR’s proactive response in this case highlights the importance of layered security and rapid incident response in mitigating the devastating effects of ransomware and double extortion schemes.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
