DragonForce carried out a double attack by first targeting an MSP and then spreading ransomware via its management software.
This was reported by The Register. The attack began when cybercriminals exploited security vulnerabilities in SimpleHelp, a popular remote management and monitoring tool. This allowed them to install DragonForce ransomware on multiple systems and steal confidential data.
According to security company Sophos, extortion was also used in addition to the ransomware. The perpetrators threatened to publish data if the ransom was not paid. Sophos did not disclose which MSP was affected or how many customers fell victim to the attack.
DragonForce is a relatively new player in the ransomware-as-a-service field and gained notoriety in April when the criminal group Scattered Spider used the software to infect major retail chains in the UK and the US. Since then, they have been offering their infrastructure to other criminals to spread ransomware.
High-impact attack
MSPs are attractive targets for cybercriminals because they have access to multiple customer environments at the same time. In this case, the misuse of SimpleHelp had an even greater impact: this software is used on thousands of servers, allowing an attacker to spread ransomware as if it were a regular update.
According to Sophos, the attack was not only about infecting systems, but also about gathering information. Through the SimpleHelp installation, the attackers collected data about customer environments, including device information, users, and network connections.
Sophos believes with reasonable certainty that a DragonForce partner exploited a combination of vulnerabilities in SimpleHelp. These vulnerabilities were patched by SimpleHelp earlier this year.
In February, authorities in both the US and the UK warned of active exploitation of these vulnerabilities. Sophos published a list of indicators of this attack on GitHub. Users are advised to install the latest SimpleHelp updates as soon as possible.