DragonForce Hits MSP, Abuses SimpleHelp to Spread

The DragonForce ransomware group has compromised a managed service provider (MSP), leveraging its SimpleHelp remote monitoring and management (RMM) platform to infiltrate and encrypt systems across multiple customer networks. The attackers reportedly used the MSP’s access to execute data theft and encryption operations on downstream clients, highlighting the risks associated with centralized IT service platforms.

By exploiting SimpleHelp, a legitimate RMM tool commonly used by MSPs to remotely manage client systems, DragonForce was able to bypass traditional security defenses. This method enabled the ransomware actors to move laterally within customer environments, encrypting critical data and potentially disrupting business operations.

The incident underscores the growing trend of ransomware groups targeting service providers to maximize impact. It also raises concerns about the security of RMM platforms, which often hold elevated privileges across multiple organizations. Companies relying on third-party IT support may face increased risk unless proper segmentation and monitoring practices are in place.