DragonForce and Medusa Ransomware Exploitation of SimpleHelp RMM Vulnerabilities
Two major Ransomware-as-a-Service (RaaS) groups, Medusa and DragonForce, have been identified exploiting critical vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) platform to gain SYSTEM-level access across managed service provider (MSP) environments. The attackers leveraged three specific flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to compromise RMM servers, pivot into downstream customer networks, and deploy ransomware payloads. Medusa operators used legitimate IT management tools like PDQ Inventory and PDQ Deploy to distribute ransomware, disable Microsoft Defender, and exfiltrate sensitive data using RClone, while DragonForce was also observed exploiting these flaws for similar access and impact.
The attacks resulted in widespread file encryption, ransom notes, and double-extortion tactics, with stolen data posted on dark web leak sites and promoted via Telegram. The campaigns highlight the significant risk posed by unpatched RMM platforms in the IT supply chain, as attackers can rapidly escalate privileges and impact multiple organizations through a single compromised MSP. Security researchers emphasize the need for immediate patching of SimpleHelp RMM vulnerabilities and enhanced monitoring of MSP environments to mitigate further exploitation by ransomware groups.
Timeline
Nov 11, 2025
DragonForce adopts BYOVD to disable EDR and updates Conti v3-based encryptor
Subsequent reporting said DragonForce evolved its ransomware tooling by using a bring-your-own-vulnerable-driver technique to kill endpoint detection and response products. The same report also noted the group fixed encryption flaws in its Conti v3-derived codebase, indicating a technical maturation of the malware.
Nov 10, 2025
Medusa and DragonForce exploit SimpleHelp RMM flaws for SYSTEM access
A reported campaign described Medusa and DragonForce abusing vulnerabilities in SimpleHelp remote monitoring and management software to gain SYSTEM-level access, highlighting managed service providers as a key exposure point. The reporting indicates the flaws were being actively leveraged in real-world intrusions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Storm-1175 Rapidly Exploits Web-Facing Flaws to Deploy Medusa Ransomware
Microsoft said threat actor **Storm-1175** is running high-tempo intrusions that exploit newly disclosed and, in some cases, previously unknown vulnerabilities in internet-facing systems to steal data and deploy **Medusa ransomware** within days or even 24 hours. The financially motivated group has heavily impacted healthcare organizations and also targeted education, professional services, and finance in Australia, the United Kingdom, and the United States. Since 2023, the actor has exploited more than 16 flaws across products including **Microsoft Exchange**, **PaperCut**, **Ivanti**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **CrushFTP**, **GoAnywhere MFT**, **SmarterMail**, **SAP NetWeaver**, and **BeyondTrust**, with Microsoft also observing zero-day use against SmarterMail and GoAnywhere before public disclosure. After gaining access, Storm-1175 establishes persistence with new administrator accounts, web shells, and remote management tools, then moves laterally using LOLBins, **Impacket**, **PDQ Deployer**, and Cloudflare tunnels while stealing credentials from **LSASS**, `NTDS.dit`, `SAM`, and backup systems. Microsoft said the actor tampers with Microsoft Defender settings to reduce detection, uses **Bandizip** and **Rclone** for collection and exfiltration, and deploys Medusa through PDQ Deployer or Group Policy; the group has also shown interest in Linux targets such as vulnerable **Oracle WebLogic** servers. Microsoft urged organizations to reduce exposure of web-facing assets, patch quickly, enforce MFA on approved RMM tools, restrict local administrator rights, and enable protections such as **Credential Guard**, tamper protection, and Defender XDR attack disruption features.
4 weeks ago
DragonForce Ransomware Operations and High-Profile Breaches
DragonForce, a ransomware group that has evolved into a self-described "ransomware cartel," has intensified its global operations, targeting organizations with advanced tactics and forming alliances with other cybercriminal collectives. Security researchers have detailed how DragonForce leverages vulnerable drivers such as `truesight.sys` and `rentdrv2.sys` to disable security software and has improved its encryption methods to address previously exploited vulnerabilities. The group, which began by using the LockBit 3.0 builder and later adopted a modified Conti v3 source code, now operates a ransomware-as-a-service (RaaS) model, offering affiliates a significant share of profits and customizable tools to attract new participants. Notably, DragonForce has collaborated with groups like Scattered Spider and has been linked to the compromise of major organizations, including a high-profile breach of Marks & Spencer. Recently, DragonForce claimed responsibility for a significant breach at Mobilelink USA, a major dealer for Cricket Wireless, exfiltrating 5.04 TB of data and threatening to leak sensitive information, including personally identifiable and financial data of millions of customers across 21 states. The group has also reportedly allied with other ransomware gangs such as Qilin and LockBit, and has taken over operations or leak sites from other ransomware groups like RansomHub, BlackLock, and Mamona. In 2025 alone, DragonForce has impacted at least 185 organizations, with most attacks occurring in the last six months, underscoring the growing threat posed by this increasingly organized and aggressive ransomware operation.
1 months ago
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
6 days ago