In a chilling reminder of the risks posed by insecure remote access tools, the ransomware group DragonForce has launched a sophisticated supply chain attack by exploiting critical vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) platform widely used by Managed Service Providers (MSPs). The campaign, first uncovered by researchers at Group-IB, reveals how three recently discovered vulnerabilities in SimpleHelp allowed attackers to infiltrate MSP infrastructure, exfiltrate sensitive data, and deploy ransomware across multiple client environments.
Who Is DragonForce?
Once known as a traditional ransomware operation, DragonForce has evolved into a full-fledged ransomware cartel. Adopting an affiliate model, the group now enables other cybercriminals to use its tooling and infrastructure under a shared branding strategy. This move has made DragonForce a more versatile and dangerous actor in the ransomware-as-a-service (RaaS) ecosystem.
What makes this campaign especially concerning is evidence suggesting collaboration with Scattered Spider, a highly capable group notorious for using social engineering and identity-first intrusion tactics to compromise cloud environments. This potential partnership could mark a convergence of traditional ransomware and advanced intrusion techniques, raising the stakes for defenders.
The Vulnerabilities
The attackers exploited three vulnerabilities in SimpleHelp to gain unauthorized access – CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728.
These flaws collectively allowed DragonForce to hijack an MSP’s SimpleHelp instance and move laterally into customer environments. Once inside, the group conducted data exfiltration and ransomware deployment in a highly coordinated fashion.
Anatomy of the Attack
The campaign followed a classic supply chain attack pattern:
Initial Access
DragonForce gained access to a vulnerable SimpleHelp deployment used by a target MSP.
Privilege Escalation & Lateral Movement
Leveraging internal privileges, they pivoted to customer systems managed via SimpleHelp.
Payload Delivery
Ransomware was deployed, likely customized per target.
Double Extortion
Data was exfiltrated and encrypted, with ransom demands made under threat of public leaks.
While some MSP clients were able to detect and neutralize the attack early, others suffered full ransomware lockouts and data breaches, illustrating the uneven state of security readiness among downstream organizations.
The Scattered Spider Connection
Researchers noted telltale signs that Scattered Spider may be aiding or collaborating with DragonForce. Known for their expertise in social engineering and targeting identity platforms like Okta and Azure AD, Scattered Spider’s potential role may include assisting with initial reconnaissance or credential harvesting.
If confirmed, this partnership would demonstrate a disturbing trend: ransomware crews teaming up with specialized intrusion groups to carry out hybrid attacks combining stealthy infiltration with destructive payloads.
Industry Impact
The attack has had wide-reaching effects, particularly on UK-based retailers and service providers. Several organizations reported outages, compromised customer data, and operational disruptions.
The situation also raises questions about the security posture of RMM tools, which are increasingly favored targets due to their privileged access and centralized control. As MSPs become more integral to IT operations across industries, the consequences of their compromise grow more severe.
Lessons for Defenders
This attack highlights the urgent need for companies, especially MSPs and their clients, to reassess their exposure and implement proactive defenses:
- Apply vendor patches immediately, especially for RMM tools like SimpleHelp.
- Restrict and monitor RMM tool access, both internally and externally.
- Use Zero Trust principles, particularly around identity and access.
- Segment networks to prevent lateral movement across clients.
- Employ Endpoint Detection and Response (EDR) solutions for real-time threat detection.
- Educate staff about social engineering and phishing risks—especially admin users.
Final Thoughts
The DragonForce-SimpleHelp ransomware incident shows us that supply chain security is no longer optional. Attackers are increasingly targeting the tools we rely on to manage our infrastructure, and the consequences are cascading across organizations large and small.
As ransomware tactics evolve and cybercriminal alliances become more strategic, defenders must stay vigilant, keep their tools patched, and continuously review third-party access and vendor trust relationships.
