The DragonForce ransomware operation efficiently breached a managed service supplier and used its SimpleHelp distant monitoring and administration (RMM) platform to steal information and deploy encryptors on downstream prospects’ methods.
Sophos was introduced in to research the assault and consider the menace actors exploited a sequence of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.
SimpleHelp is a business distant help and entry instrument generally utilized by MSPs to handle methods and deploy software program throughout buyer networks.
The report by Sophos says that the menace actors first used SimpleHelp to carry out reconnaissance on buyer methods, akin to accumulating details about the MSP’s prospects, together with system names and configuration, customers, and community connections.
The menace actors then tried to steal information and deploy decryptors on buyer networks, which had been blocked on one of many networks utilizing Sophos endpoint safety. Nevertheless, the opposite prospects weren’t so fortunate, with units encrypted and information stolen for double-extortion assaults.
Sophos has shared IOCs associated to this assault to assist organizations higher defend their networks.
MSPs have lengthy been a helpful goal for ransomware gangs, as a single breach can result in assaults on a number of firms. Some ransomware associates have specialised in instruments generally utilized by MSPs, akin to SimpleHelp, ConnectWise ScreenConnect, and Kaseya.
This has led to devastating assaults, together with REvil’s huge ransomware assault on Kaseya, which impacted over 1,000 firms.
DragonForce beneficial properties notoriety following UK retail assaults
The DragonForce ransomware gang has just lately surged in notoriety after being linked to a wave of high-profile retail breaches involving menace actors using Scattered Spider ways.
As first reported by BleepingComputer, the group’s ransomware was deployed in assaults on the UK retailer Marks & Spencer. Quickly after, the identical menace actors breached one other UK retailer, Co-op, who confirmed a big quantity of buyer information was stolen.
BleepingComputer beforehand reported that DragonForce is making an attempt to construct a “cartel” by providing a white-label ransomware-as-a-service (RaaS) mannequin, permitting associates to deploy rebranded variations of its encryptor.
With its more and more affiliate-friendly strategy and rising record of victims, DragonForce is rapidly changing into a significant participant within the ransomware panorama.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend towards them.
