The DragonForce ransomware attack is exploiting weak points in Managed Service Providers (MSPs) by abusing SimpleHelp, a remote access tool. The attackers launched a supply chain attack by leveraging publicly accessible and unsecured SimpleHelp instances, enabling lateral movement across client networks. Researchers warn this marks a significant evolution in attacker strategy—shifting from direct infiltration to scalable abuse of trusted third-party tools.

Sophos, which investigated the breach, found that attackers used SimpleHelp for remote access, deployed self-extracting archive files (SFX), ran PowerShell scripts, and created scheduled tasks to silently move across networks and drop ransomware or prepare for future attacks.

What Happened: Abusing a Trusted Remote Access Tool

The attack exploited SimpleHelp in the following stages:

• Tool misuse, not tool compromise: Sophos clarified that there’s no evidence SimpleHelp itself was exploited via a vulnerability. Instead, attackers found exposed or weakly secured installations of the software on MSP infrastructures.

“We saw the tool being used as a remote desktop capability—it wasn’t clear that the tool itself had any vulnerabilities exploited,” Sophos researchers explained.

• Remote Access to Lateral Movement: Once attackers gained access, they executed PowerShell commands to scan systems and spread through lateral movement across client endpoints.
• Payload Deployment (or not): In some cases, attackers did not deploy ransomware. Instead, the breach may have been exploratory—establishing persistence for future attacks or data theft.
• Infrastructure Clues: The malicious activity originated from SimpleHelp instances hosted in Russia and Malaysia, further raising red flags for global cybersecurity teams. 

Technical Indicators and Threat Tactics

• RARLAB SFX archives bundled with malicious payloads
• Obfuscated PowerShell scripts used for reconnaissance and execution
• Scheduled tasks set to auto-execute malware under the radar
• Common command-line behavior mimicking IT support scripts
  These patterns show attackers are blending into normal MSP workflows, making detection harder for both providers and clients.

Why This Attack Matters

• Abuse of Trust: MSPs are built on trust, and threat actors now exploit that trust to access dozens of clients from a single foothold.
• Evolving Playbook: This attack represents a shift in strategy—from targeting individual organisations to using MSPs as force multipliers.
• No Exploit, Just Oversight: The attackers didn’t hack SimpleHelp—they used misconfigured or unprotected instances, proving that basic cybersecurity hygiene is still a massive risk.

John Shier, Field CTO at Sophos, warned:
“The threat actors are using the trust placed in MSPs and their tools to get broad access into environments.”

Lessons for MSPs and Small Businesses

• Harden remote access software: Disable unused ports, apply strict firewalls, and change default settings
• Audit and monitor RMM tools regularly for misuse
• Separate MSP tools from core business systems with access control and segmentation
• Educate clients about shared security responsibilities when using third-party providers
• Implement EDR solutions that detect anomalous scripting and scheduled task creation

To Sum Up

The DragonForce ransomware breach is a wake-up call for MSPs and their customers alike. Attackers no longer rely solely on breaking through front doors—they now walk in through trusted back channels like SimpleHelp. Even without exploiting a software vulnerability, they were able to orchestrate a wide-reaching supply chain compromise. For security teams, this incident highlights the need to treat configuration as critically as code.