Sophos MDR lately responded to a focused assault involving a Managed Service Supplier (MSP). On this incident, a menace actor gained entry to the MSP’s distant monitoring and administration (RMM) software, SimpleHelp, after which used it to deploy DragonForce ransomware throughout a number of endpoints. The attackers additionally exfiltrated delicate information, leveraging a double extortion tactic to stress victims into paying the ransom.
Sophos MDR has medium confidence the menace actor exploited a sequence of vulnerabilities that have been launched in January 2025:
- CVE-2024-57727: A number of path traversal vulnerabilities
- CVE-2024-57728: Arbitrary file add vulnerability
- CVE-2024-57726: Privilege escalation vulnerability
DragonForce
DragonForce ransomware is a sophisticated and aggressive ransomware-as-a-service (RaaS) model that first emerged in mid-2023. As mentioned in latest analysis from Sophos Counter Menace Unit (CTU), DragonForce started efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding mannequin.
Coinciding with this effort to attraction to a wider vary of associates, DragonForce lately garnered consideration within the menace panorama for claiming to “take over” the infrastructure of RansomHub. Reviews additionally recommend that well-known ransomware associates, together with Scattered Spider (UNC3944) who was previously a RansomHub affiliate, have been utilizing DragonForce in assaults concentrating on a number of giant retail chains within the UK and the US.
The incident
Sophos MDR was alerted to the incident by detection of a suspicious set up of a SimpleHelp installer file. The installer was pushed through a reputable SimpleHelp RMM occasion, hosted and operated by the MSP for his or her shoppers. The attacker additionally used their entry by means of the MSP’s RMM occasion to assemble data on a number of buyer estates managed by the MSP, together with amassing machine names and configuration, customers, and community connections.
One consumer of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint safety deployed. Via a mix of behavioral and malware detection and blocking by Sophos endpoint safety and MDR actions to close down attacker entry to the community, thwarting the ransomware and double extortion try on that buyer’s community. Nonetheless, the MSP and shoppers that weren’t utilizing Sophos MDR have been impacted by each the ransomware and information exfiltration. The MSP engaged Sophos Speedy Response to supply digital forensics and incident response on their surroundings.
Indicators of compromise associated to this investigation can be found from our GitHub.
Sophos MDR lately responded to a focused assault involving a Managed Service Supplier (MSP). On this incident, a menace actor gained entry to the MSP’s distant monitoring and administration (RMM) software, SimpleHelp, after which used it to deploy DragonForce ransomware throughout a number of endpoints. The attackers additionally exfiltrated delicate information, leveraging a double extortion tactic to stress victims into paying the ransom.
Sophos MDR has medium confidence the menace actor exploited a sequence of vulnerabilities that have been launched in January 2025:
- CVE-2024-57727: A number of path traversal vulnerabilities
- CVE-2024-57728: Arbitrary file add vulnerability
- CVE-2024-57726: Privilege escalation vulnerability
DragonForce
DragonForce ransomware is a sophisticated and aggressive ransomware-as-a-service (RaaS) model that first emerged in mid-2023. As mentioned in latest analysis from Sophos Counter Menace Unit (CTU), DragonForce started efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding mannequin.
Coinciding with this effort to attraction to a wider vary of associates, DragonForce lately garnered consideration within the menace panorama for claiming to “take over” the infrastructure of RansomHub. Reviews additionally recommend that well-known ransomware associates, together with Scattered Spider (UNC3944) who was previously a RansomHub affiliate, have been utilizing DragonForce in assaults concentrating on a number of giant retail chains within the UK and the US.
The incident
Sophos MDR was alerted to the incident by detection of a suspicious set up of a SimpleHelp installer file. The installer was pushed through a reputable SimpleHelp RMM occasion, hosted and operated by the MSP for his or her shoppers. The attacker additionally used their entry by means of the MSP’s RMM occasion to assemble data on a number of buyer estates managed by the MSP, together with amassing machine names and configuration, customers, and community connections.
One consumer of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint safety deployed. Via a mix of behavioral and malware detection and blocking by Sophos endpoint safety and MDR actions to close down attacker entry to the community, thwarting the ransomware and double extortion try on that buyer’s community. Nonetheless, the MSP and shoppers that weren’t utilizing Sophos MDR have been impacted by each the ransomware and information exfiltration. The MSP engaged Sophos Speedy Response to supply digital forensics and incident response on their surroundings.
Indicators of compromise associated to this investigation can be found from our GitHub.
