DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers
sophos, Tuesday, May 27th, 2025
Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer's network
Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP's remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.