The threat actor behind the Dragonforce ransomware accessed the SimpleHelp Remote Monitoring and Management (RMM) tool of an unnamed managed service provider (MSP) and leveraged it to remove data and drop lockers on multiple endpoints.
According to an analysis from Sophos, the attacker is believed to have exploited a trio of security flaws from Simplehelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) disclosed in January 2025 to access the simplehelp deployment of MSP.
The cybersecurity company said it was warned of an incident following a suspicious installation of SimpleHelp installer files pushed through legitimate SimpleHelp RMM instances hosted and operated by MSP for its customers.
Threat actors are also known to leverage access through MSP’s RMM instances to collect information from a variety of customer environments regarding device names and configurations, users, and network connectivity.
One of the MSP clients was able to shut down access to the attacker’s network, but many other downstream customers were affected by data theft and ransomware, eventually paving the way for double-expansion attacks.
MSP supply chain attacks shed light on the evolving trademarks of groups that have positioned themselves as one of the most lucrative options in the cybercrime world by providing a positive profit share.
Dragonforce has gained improvements to the ransomware “cartel” and a pivot for a new affiliate branding model that allows other cybercriminals to generate versions of their lockers with different names.
The emergence of the cartel coincided with what appears to be a “hostile takeover” of Ransomhub, a crew of prolific e-criminals who left the end of Lockbit and Blackcat OBS last year.
A series of attacks targeting the UK retail sector since late last month has given rise to more spotlight on threat actors. The attacks per BBC have resulted in impacted companies closing some of their IT systems.
“While Dragonforce praised the horror and data leak phase, the growing evidence suggests that another group (scattered spiders) could have played a fundamental role in enabling those attacks,” Cyberint said. “The scattered spiders known for their cloud-first identity-centric intrusion methods have emerged as access brokers or collaborators within Dragonforce’s affiliate model.”
The scattered spiders, part of a larger, loose knee gathering known in itself as the COM, remain a mystery despite the arrest of suspected arrests in 2024, lacking visibility into how young people in the UK and US are being adopted by criminal networks.
These findings point to a volatile landscape where ransomware groups are increasingly fragmented, decentralized, and combating low affiliate loyalty. In addition to concerns, the use of artificial intelligence (AI) is increasing in malware development and campaign scaling.
“Dragonforce is more than just a ransomware brand, it’s a volatile force to reconstruct the ransomware landscape,” said Aiden Sinnott, senior threat researcher at Sophos Counter Threat Unit.
“While in the UK, the group has dominated recent headlines after high-profile attacks on retailers. Behind the scenes of the ransomware ecosystem, there appears to be some shaking between them and E-drime groups such as Ransomhub.
Rockbit suffered a major operational retreat after the infrastructure was demolished in early 2024 as part of an international law enforcement lawsuit called Operation Chronos.
The group managed to rebuild the activity to some degree and resume it, but addressed another blow earlier this month after the dark web affiliate panel was tainted to include links to database dumps that include thousands of negotiated chats, custom builds, and work with low-stage Lockbit Lite panels.
“From chat logs and ransomware build records to affiliate structure and ransom requests, the data shows that lockbits are well organized and systematic.” “Affiliates play a major role in customizing attacks, requesting payments, and negotiating with victims.”
The development has resulted in multiple groups of attackers, including 3am ransomware, using a combination of email bombing and vising, to mislead employees and violate the company’s network under the guise of technical support to allow social engineers to remotely access their computers using Microsoft Quick Assist.
The initial access is then abused and drops additional payloads. These include network tunnel backdoors called QDoor, which allow attackers to establish scaffolding on the network without attracting attention. It is noteworthy that backdoors have been previously observed in black suits and Lynx ransomware attacks.
Sophos said that while the ransomware attack was ultimately hampered, the attacker managed to steal data and live on the network for nine days before attempting to launch the locker.
“The combination of Vising and email bombing continues to be a powerful and effective combination for ransomware attackers. The 3AM Ransomware Group has found a way to use remote encryption by showing traditional security software.”
“To maintain a secure state, businesses must prioritize employee awareness and strictly restrict remote access, including using policies that block virtual machines and remote access software execution on computers that do not have such software. Additionally, businesses must block all inbound and outbound network traffic related to remote control except from systems designated for remote access.”
Source link
