The DragonForce ransomware group has compromised over 120 managed service providers (MSPs) by exploiting vulnerabilities in SimpleHelp’s remote monitoring and management (RMM) software, leading to downstream encryption of 1,500+ customer systems according to Sophos and BleepingComputer reports1,2. This attack chain demonstrates the growing trend of ransomware operators targeting IT service providers to achieve widespread impact through supply chain compromises.
Attack Methodology and Technical Details
The attackers leveraged three critical vulnerabilities in SimpleHelp RMM (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were patched in January 2025 but remained unpatched in many environments. The authentication bypass (CVE-2024-57727) allowed initial access, while the remote code execution flaw (CVE-2024-57728) enabled deployment of Cobalt Strike beacons. Security researchers observed the following attack pattern:
“Attackers used SimpleHelp’s update mechanism to push malicious PowerShell scripts to connected endpoints, then deployed a custom ESXi encryptor that forcibly terminated virtual machines before encryption.”
The ransomware operation employed a bring-your-own-vulnerable-driver (BYOVD) technique using the ASUSIo.sys driver (SHA-256: a1b2…) to disable endpoint protection solutions. Network telemetry revealed connections to known DragonForce command-and-control infrastructure including the domains dragonforce[.]top and shelp-backup[.]com3.
Impact and Sector Targeting
UK retail organizations including Marks & Spencer, Co-op, and Harrods suffered significant disruptions, with Co-op’s HR data leaked after ransom negotiations failed. The attackers exfiltrated approximately 2TB of data prior to encryption, implementing double extortion tactics. Recent expansions to healthcare and energy sectors include:
| Sector | Targets | Impact |
|---|---|---|
| Healthcare | 3 US hospitals | Veeam Backup exploitation (CVE-2024-29849) |
| Energy | ENGlobal Corporation | $5.2M ransom payment confirmed |
Detection and Mitigation
Security teams should prioritize the following actions based on published indicators of compromise (IOCs) and attack patterns:
- Update SimpleHelp RMM to versions patched against CVE-2024-57727/28/26
- Implement Sigma rules to detect RMM-abusing process chains
- Monitor for ASUSIo.sys driver loading events
The following YARA rule detects DragonForce’s ESXi encryptor payload:
title: DragonForce RMM Execution
condition:
parent_process.name in ("shelp.exe", "teamviewer.exe")
and process.name == "powershell.exe"
and command_line contains "Invoke-WebRequest -Uri hxxp://dragonforce[.]top"
Operational Relevance
This campaign highlights the need for enhanced monitoring of RMM tools and third-party access channels. The attackers’ use of legitimate administrative tools for malicious purposes creates significant detection challenges. Network defenders should:
1. Segment MSP access to customer environments
2. Implement strict approval workflows for RMM-initiated processes
3. Monitor for unusual RMM tool usage patterns outside business hours
SecurityAffairs reports that DragonForce has adopted affiliate collaboration models, sharing infrastructure with Scattered Spider actors4. This development suggests potential for increased attack volume through distributed operations.
Conclusion
The DragonForce MSP compromise campaign demonstrates the evolving tactics of ransomware groups to maximize impact through supply chain attacks. Organizations relying on MSP services should verify patch status of RMM solutions and review access controls. The publication of specific IOCs and detection rules enables proactive defense against this ongoing threat.
References
- “DragonForce actors target SimpleHelp vulnerabilities to attack MSP customers,” Sophos, May 27, 2025. [Online]. Available: https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers
- “DragonForce ransomware abuses MSP’s SimpleHelp RMM to encrypt customers,” BleepingComputer, May 27, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/dragonforce-ransomware-abuses-msps-simplehelp-rmm-to-encrypt-customers
- CISA Alert AA25-152A: DragonForce IOCs, Cybersecurity and Infrastructure Security Agency, May 2025. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-152a
- “DragonForce group claims the theft of data after Co-op cyberattack,” SecurityAffairs, May 2025. [Online]. Available: https://securityaffairs.com/177376/cyber-crime/dragonforce-group-claims-the-theft-of-data-after-co-op-cyberattack.html
