The RMM Nightmare: How DragonForce Just Showed Us We're All Sitting Ducks
Wake up and smell the ransomware, folks. The DragonForce gang just pulled off what every IT professional has been dreading for years, and if you're not absolutely terrified right now, you're not paying attention. They didn't just hit one company. They didn't even just hit a managed service provider. No, these criminals weaponized the very tools we trust to keep our systems running, turning SimpleHelp's remote monitoring and management software into a delivery system for digital destruction.
And here's the kicker: every single business reading this probably uses similar tools. Every. Single. One.
The Attack That Should Have You Picking Up The Phone Right Now
Let me paint you a picture of what just went down, because the details should make your blood run cold. DragonForce, a ransomware-as-a-service gang that's been making waves since April, didn't waste time with small-time targets. They went straight for the jugular by compromising a managed service provider. But they weren't content with just encrypting one company's files and calling it a day.
These criminals exploited vulnerabilities in SimpleHelp, a remote monitoring and management tool used by thousands of companies worldwide. Think about that for a second. SimpleHelp brags on their website about being "installed and actively used on thousands of servers" with "hundreds of thousands of machines accessible through SimpleHelp servers." And DragonForce turned this massive reach into their personal ransomware distribution network.
The security researchers at Sophos discovered this nightmare when they spotted suspicious SimpleHelp installer files being pushed through legitimate RMM instances. That's right, the very software designed to protect and manage IT infrastructure became the weapon. The attackers didn't just deploy ransomware; they harvested device names, configurations, user data, and network connections across multiple customer estates. They basically got a backstage pass to everything.
Jon Miller, CEO of anti-ransomware company Halcyon, put it perfectly when he said this marks "a whole new level of chaos." He's not being dramatic. When criminals exploit RMM vulnerabilities, they're not just breaching a single organization. They're hijacking an entire distribution system. It's like poisoning the water supply instead of targeting individual homes.
The Vulnerabilities That Nobody Wanted To Talk About
Here's where things get really infuriating. The vulnerabilities that DragonForce exploited? They were known. They were patched. In January. JANUARY! We're talking about CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload), and CVE-2024-57726 (privilege escalation). Chain these bad boys together, and you've got yourself complete control over a SimpleHelp server.
But wait, it gets worse. In February, both the US and UK governments issued warnings that these vulnerabilities were being actively exploited. The US Cybersecurity and Infrastructure Security Agency added them to their Known Exploited Vulnerabilities catalog. The UK's National Health Service Digital sent out alerts. The writing wasn't just on the wall; it was in flashing neon lights with sirens blaring.
Yet here we are in May, watching DragonForce turn these known, patched vulnerabilities into a supply chain catastrophe. How many organizations ignored those warnings? How many MSPs thought "it won't happen to us" or "we'll get to it next quarter"? How many businesses are still running vulnerable versions of SimpleHelp or similar tools right this very second?
The Brutal Reality of Supply Chain Attacks
Let's talk about why this attack should have every business owner reaching for their phone to call their IT team immediately. Supply chain attacks are the nuclear option in the cybercriminal playbook. Instead of breaking into individual houses, attackers compromise the locksmith who has keys to hundreds of homes.
When an MSP gets hit, it's not just their problem. Every single one of their clients becomes a potential victim. And when the attack vector is the RMM software itself? Game over. These tools have privileged access to everything. They're designed to push software updates, access files, control systems, and manage networks. They're the keys to the kingdom, and DragonForce just showed us how easily those keys can be stolen and copied.
The double-extortion tactics make this even more vicious. Not only did DragonForce encrypt victims' files, but they also stole sensitive data. So even if you have bulletproof backups, you're still facing the threat of having your confidential information leaked online. Customer data, financial records, trade secrets, personal information - all of it potentially up for grabs.
Every Business Is At Risk. Yes, Even Yours.
If you're reading this thinking "well, we don't use SimpleHelp, so we're safe," you're missing the point entirely. Every RMM tool is a potential target. ConnectWise, Kaseya, TeamViewer, LogMeIn, NinjaRMM, Atera, the list goes on and on. These tools are everywhere because they're essential for modern IT management. But their ubiquity and power make them irresistible targets for ransomware gangs.
Remember the Kaseya attack in 2021? The REvil ransomware gang compromised Kaseya's VSA software and hit up to 1,500 businesses worldwide. That should have been our wake-up call. Instead, here we are watching history repeat itself with DragonForce and SimpleHelp.
The criminals are getting smarter and more brazen. DragonForce isn't just some fly-by-night operation. They're offering ransomware-as-a-service, meaning any wannabe criminal can rent their infrastructure and tools. They've been linked to attacks on major UK and US retailers. In April, they were connected to the notorious Scattered Spider group, the same crew behind massive MGM and Caesars attacks.
The Questions You Need To Ask Your IT Team Today
Stop what you're doing and schedule a meeting with your IT team or managed service provider. Not next week. Not when you get around to it. Today. Here are the exact questions you need answers to, and don't let them deflect with technical jargon:
Question 1: "What RMM tools are we using, and how is the infrastructure managed?" Don't accept "we use industry standard tools" as an answer. You need specific names: ConnectWise Control, Kaseya VSA, TeamViewer, SimpleHelp, NinjaOne, Datto RMM, whatever they're using. Then the critical follow-up: "Is this self-hosted or cloud-hosted?" If it's cloud-hosted (like Ninja or Datto), ask: "How do you verify the vendor is keeping it patched? Show me where you check their security status."
Red Flag: If they can't immediately tell you the exact tools, or if they say "the vendor handles all that" without any verification process on their end.
Question 2: "Show me the last three security advisories for our RMM platform and tell me what YOU did about them." This is the key question for hosted RMM services. Even if Datto or Ninja handles the patching, your MSP needs to: know about vulnerabilities, understand the impact, adjust security settings if needed, have contingency plans, and communicate risks to clients. If SimpleHelp had vulnerabilities in January, what did your MSP do? Did they add extra monitoring? Restrict access? Have a plan B?
Red Flag: If they say "we don't need to worry about patches because Ninja/Datto/vendor handles that" or "we trust our vendor completely." That's exactly what the MSP hit by DragonForce probably said.
Question 3: "If Datto/Ninja/ConnectWise gets breached tomorrow, what's our plan?" This is where the rubber meets the road for hosted RMM services. Your MSP doesn't control the infrastructure, but they better have a plan for when it goes sideways. You want to hear about alternative access methods, backup management tools, offline documentation of your environment, and incident response procedures that don't depend on the compromised RMM tool.
Red Flag: Any response that includes "that won't happen because they have good security" or "we'd figure it out if it happened." If they're putting all their eggs in one vendor's basket without a contingency plan, you're screwed when that vendor gets hit.
Question 4: "How many people have admin access to our RMM tenant, and show me your access audit from last month." Whether it's self-hosted or cloud-hosted, your MSP controls who can access your systems through their RMM portal. They should be able to pull up a list immediately. For cloud-hosted services, they should show you the user audit logs from the vendor's portal. Ask specifically: "Who has the ability to push software to all our endpoints?"
Red Flag: If more than 5-10 people have admin access, or if they say "we don't really track that" or "everyone in IT needs admin access to do their job." Also concerning: "The vendor doesn't provide audit logs" means they picked a crappy vendor.
Question 5: "I want a read-only account to our RMM tenant with access to all reporting and audit logs. When can you set this up?" This is non-negotiable. It's YOUR infrastructure, YOUR data, and YOUR risk. You need independent visibility into what's happening. A read-only account lets you verify their work, monitor for suspicious activity, and have evidence if something goes wrong. Any legitimate MSP will set this up within 24-48 hours. The account should let you see: all device inventories, deployment histories, access logs, configuration changes, and alert histories.
Red Flag: Any pushback whatsoever. If they say "that would violate our security policies," "the vendor doesn't allow customer access," "you might misinterpret the data," or "we provide monthly reports instead," find a new MSP immediately. Here's a dirty little secret: some MSPs will resist because it might cost them money. Many RMM services bill either per technician seat or per endpoint. Adding your read-only account might count as another technician license they have to pay for. Now, if they're upfront about this and say "adding this account will cost us $30-50 per month in licensing, can we add that to your bill?" that's actually a reasonable conversation to have. What's NOT acceptable is refusing access because of cost, or hiding behind fake security concerns when it's really about money. A good MSP will be transparent about any costs and work with you to find a solution. If they flat-out refuse or make excuses instead of having an honest discussion about who pays for the additional license, that tells you everything about their priorities. They're either hiding something, they're incompetent, or they value saving a few bucks over your security.
Question 5: "What additional security controls have YOU implemented on top of the vendor's defaults?" This separates real security from checkbox security. Even with hosted RMM, your MSP can implement IP restrictions, enforce MFA, set up approval workflows for mass deployments, configure session timeouts, enable additional logging, and restrict after-hours access. If they're just using default settings, they're part of the problem.
Red Flag: "We use whatever security settings Datto/Ninja provides" or "the defaults are fine" or "additional security would slow us down." If they haven't hardened the configuration beyond defaults, they're leaving doors wide open.
Question 6: "I want a read-only account to our RMM tenant with access to all reporting and audit logs. When can you set this up?" This is non-negotiable. It's YOUR infrastructure, YOUR data, and YOUR risk. You need independent visibility into what's happening. A read-only account lets you verify their work, monitor for suspicious activity, and have evidence if something goes wrong. Any legitimate MSP will set this up within 24-48 hours. The account should let you see: all device inventories, deployment histories, access logs, configuration changes, and alert histories.
Red Flag: Any pushback whatsoever. If they say "that would violate our security policies," "the vendor doesn't allow customer access," "you might misinterpret the data," or "we provide monthly reports instead," find a new MSP immediately. They're hiding something or they're incompetent. Transparency isn't optional.
Question 7: "Show me an alert from when your RMM vendor had an outage or security incident." Every major RMM vendor has had incidents. This question tests whether your MSP even knows when their critical tools have problems. You want to see evidence they monitor vendor status pages, subscribe to security notifications, and have a process for responding to vendor incidents.
Red Flag: "Our vendor hasn't had any incidents" or "we'd know if something was wrong because the tool would stop working." If they're not actively monitoring their supply chain, they'll be the last to know when compromise happens.
The Hard Truth About Shared Responsibility
Here's something that might sting: if you're outsourcing your IT to an MSP, their security is your security. You can't just sign a contract and wash your hands of responsibility. When DragonForce hit that unnamed MSP, it wasn't just the MSP that suffered. Every one of their customers became a victim.
This shared risk model means you need to be asking tough questions of your IT providers. What security measures do they have in place? How do they vet and monitor their tools? What's their incident response plan? How quickly would they notify you of a breach? These aren't nice-to-have conversations anymore. They're essential for survival in today's threat landscape.
And if your MSP gets defensive or evasive when you ask these questions? That's a massive red flag. Any IT provider worth their salt should welcome security discussions. They should be able to clearly articulate their security posture, their tool management processes, and their incident response capabilities. If they can't or won't, it's time to find a new provider.
Red Flags That Should Have You Shopping For A New IT Provider
Listen carefully to how your IT team or MSP responds to your security questions. Their answers will tell you everything you need to know about whether they're taking this seriously. Here are the responses that should have you updating your resume or finding a new provider:
"Our RMM vendor handles all the security" Translation: We have no idea what's going on and we're hoping nothing bad happens. Security is not something you outsource to your tool vendor. Your IT team needs to actively manage, monitor, and secure these tools.
"We've never had a problem before" This is like saying you don't need seatbelts because you've never been in a car accident. Past performance means nothing when facing evolving threats. If they're relying on luck instead of proper security measures, you're in trouble.
"That would be too expensive/complex to implement" If they're not willing to invest in basic security measures like multi-factor authentication, network segmentation, or proper monitoring, what else are they cutting corners on? Security isn't optional anymore. It's the cost of doing business.
"We'll look into that and get back to you" For basic questions about what tools you're using and how they're secured, the answers should be immediate. If they need to "research" fundamental aspects of your IT infrastructure, they don't have proper documentation or awareness.
"Our tools are behind a firewall, so we're safe" This shows a fundamental misunderstanding of modern threats. Firewalls are important, but they're not magic shields. RMM tools often need to punch through firewalls to work, and attackers exploit legitimate functionality, not just network vulnerabilities.
"We don't need to worry about that because we're too small to be targeted" DragonForce and other ransomware groups use automated tools that scan for vulnerabilities. They don't care if you have 10 employees or 10,000. If you're vulnerable, you're a target. Size is irrelevant in the age of automated attacks.
"Trust us, we're professionals" Trust without verification is how breaches happen. Real professionals are happy to explain their security measures, show their work, and prove they're following best practices. If they're asking for blind faith, they haven't earned it.
Technical Warning Signs You Can Check Yourself
You don't need to be a cybersecurity expert to spot some basic warning signs. Here's what to look for:
Check their website and communications:
Are they still recommending Windows 7 or Server 2008? Run.
Do they brag about "military-grade encryption" or use lots of buzzwords without specifics? Red flag.
Is their own website secured with HTTPS? If they can't secure their own web presence, how can they secure your infrastructure?
Ask to see a recent security report or audit:
If they can't produce anything from the last 12 months, they're not taking security seriously
If they say "we don't need audits because we follow best practices," they don't understand that audits verify those practices
Test their incident response:
Send an email at 8 PM asking "I think we've been hacked, what do I do?"
If you don't get a response within an hour, or if the response is "we'll look at it in the morning," you know where you stand
Look for certifications and compliance:
No certifications at all? Problem.
Only has certifications from vendors trying to sell products? Problem.
Can't explain what their certifications actually mean for your security? Big problem.
The Uncomfortable Reality of Modern IT Infrastructure
We've built a house of cards, and DragonForce just showed us how easily it can tumble. RMM tools are indispensable for modern IT management, especially in our remote-work world. They allow IT teams to efficiently manage hundreds or thousands of endpoints, push updates, troubleshoot issues, and maintain security. But this power comes with enormous risk.
Every convenience feature in these tools is a potential attack vector. Remote command execution? That's how ransomware gets deployed. File transfer capabilities? Perfect for data exfiltration. Software deployment functions? Ideal for pushing malicious payloads. The very features that make RMM tools valuable make them dangerous in the wrong hands.
The industry needs to wake up to this reality. RMM vendors need to prioritize security over features. They need to implement robust authentication, comprehensive logging, anomaly detection, and secure update mechanisms. They need to make it harder for attackers to chain vulnerabilities and take control.
But vendors can't do it alone. Organizations need to demand better security. They need to vote with their wallets, choosing RMM tools based on security capabilities rather than just price and features. They need to invest in monitoring and detection capabilities that can spot malicious RMM usage. They need to treat RMM tools like the critical infrastructure they are.
The Clock Is Ticking
DragonForce's attack on SimpleHelp users isn't an isolated incident. It's part of a growing trend of supply chain attacks that are reshaping the threat landscape. Criminals have realized that compromising trusted tools and services provides massive return on investment. Why attack one company when you can attack hundreds through their shared service provider?
The SimpleHelp vulnerabilities that DragonForce exploited were patched in January. The governments issued warnings in February. Yet the attack still succeeded. This tells us that somewhere in the chain, someone dropped the ball. Maybe the MSP didn't apply patches quickly enough. Maybe they didn't take the warnings seriously. Maybe they thought their other security measures would be sufficient.
Whatever the reason, the result is the same: ransomware spreading through trusted channels, businesses disrupted, data stolen, and criminals laughing all the way to the cryptocurrency bank. And while Sophos hasn't revealed which MSP was hit or how many customers were affected, you can bet the damage is significant.
Critical Detection Questions That Could Save Your Business
Beyond the basic security questions, you need to dig into detection capabilities. Because here's the scary truth: RMM tools are designed to fly under the radar. That's their job. So you need specific detections for when they're being abused:
"Show me an alert from the last month where you detected suspicious RMM activity" If they can't show you a single example, they're not monitoring properly. For cloud-hosted RMM, they should still see alerts for things like: after-hours access, mass deployment attempts, unusual command execution, or connections from new locations. Even if Datto or Ninja hosts the infrastructure, your MSP can see what's happening through their tenant.
Red Flag: "We don't get alerts because our RMM activity is all legitimate" or "the vendor monitors that for us" means they have no idea what's actually happening.
"What happens if someone starts deploying software to all endpoints at 2 AM?" For hosted RMM services, this is even more critical. The answer needs to include: automatic alerts from their monitoring (not just the vendor's), approval workflows they've configured, and immediate investigation procedures. Many hosted RMM platforms allow you to set up approval requirements for mass deployments. If your MSP hasn't enabled these features, ask why not.
"How do you monitor for unauthorized access to your RMM portal?" With hosted services, your MSP might not control the infrastructure, but they absolutely control their tenant access. They should be monitoring for: new user accounts, privilege escalations, logins from unusual locations, and API key usage. If they're relying solely on the vendor to catch unauthorized access, that's negligence.
"Show me your RMM activity report from last Tuesday at 3 PM" Even with hosted RMM, they should be able to pull detailed activity logs. Datto, Ninja, ConnectWise, they all provide audit logs. If your MSP says "the vendor doesn't give us those logs" they either picked a terrible vendor or they're lying.
The Vendor Accountability Questions You Must Ask
Since many MSPs use hosted RMM services, you need to understand how they're managing vendor risk. These questions reveal whether they're actively managing their supply chain or just hoping for the best:
"When was the last time you reviewed your RMM vendor's security posture?" They should be able to tell you about the vendor's SOC 2 compliance, recent audits, security incidents, and infrastructure changes. If they say "we picked them five years ago because they were cheap," you know where their priorities lie.
"What due diligence did you do before selecting this RMM vendor?" You want to hear about security assessments, reference checks, incident history review, and comparison of security features. If they just went with whoever had the best sales pitch, they're gambling with your security.
"How do you stay informed about your RMM vendor's security issues?" They need multiple information sources: vendor status pages, security mailing lists, industry forums, and peer networks. Relying solely on the vendor to self-report problems is like trusting a fox to guard the henhouse.
"What's your plan if your RMM vendor has a major breach?" This isn't hypothetical. Kaseya was hit in 2021. ConnectWise has had vulnerabilities. Every vendor is a target. Your MSP needs a documented plan that includes: immediate client notification, alternative management methods, forensic investigation capabilities, and business continuity procedures.
"Show me the contract terms with your RMM vendor regarding security incidents" They should know exactly what their vendor is obligated to do in case of a breach: notification timelines, liability limits, data protection guarantees, and incident response support. If they've never read these sections of their contract, they're not taking supply chain risk seriously.
The Smoking Gun Questions About Your MSP
If you use an MSP, these questions will reveal whether they're a security asset or a liability:
"How many of your other clients have been hit with ransomware in the last year?" If they say zero, they're either lying or they have very few clients. Follow up with: "Walk me through the last security incident you handled." Their response will tell you everything about their experience and capabilities.
"What's your notification timeline if you detect a breach?" The only acceptable answer is "immediately." If they talk about "assessing the situation first" or "confirming the breach before causing panic," find a new MSP. You need to know the second something might be wrong.
"Show me your cyber insurance policy" If they don't have one, or if it's minimal coverage, they're not taking the threat seriously. Also ask: "Have you ever had to make a claim?" Their answer reveals their real-world incident history.
"Which of your employees can access our systems, and how do you vet them?" You want to hear about background checks, security training, access reviews, and the principle of least privilege. If "everyone in support can access everything," that's a massive red flag.
"What happens to our access when an employee leaves your company?" They should describe a detailed offboarding process that happens the same day someone leaves. If they're vague about this, former employees might still have access to your systems.
What Happens Next
The DragonForce gang isn't going to stop with this one success. They've proven the model works, and you can bet other ransomware groups are taking notes. We're going to see more attacks targeting RMM tools, MSPs, and other critical service providers. The question isn't if, but when and where.
Organizations that fail to take this threat seriously are sitting ducks. Those unpatched RMM tools? They're ticking time bombs. Those MSPs with weak security practices? They're disasters waiting to happen. Those businesses that haven't had frank discussions about supply chain risk? They're tomorrow's headlines.
But it doesn't have to be this way. We have the knowledge and tools to defend against these attacks. We know what vulnerabilities to patch. We know what security measures to implement. We know what questions to ask and what red flags to watch for. The challenge is turning that knowledge into action before it's too late.
The Bottom Line
The DragonForce attack on SimpleHelp users should be a defining moment for how we think about IT security. It's stripped away any remaining illusions about the safety of our trusted tools and partners. It's shown us that the supply chain is often the weakest link, and criminals know it.
Every organization needs to have an honest conversation about RMM tools and supply chain risk. Not a checkbox exercise or a brief email exchange, but a real, substantive discussion about vulnerabilities, responsibilities, and responses. Your IT team or MSP might not want to have this conversation. They might assure you everything is fine, that they've got it handled, that you don't need to worry.
Don't accept that answer. Push harder. Demand specifics. Because when the ransomware hits and your data is being held hostage, "we thought we were secure" isn't going to cut it. The criminals are organized, motivated, and constantly evolving their tactics. Our defenses need to evolve too.
The DragonForce attack isn't just another security incident to file away and forget. It's a warning shot across the bow of every organization that relies on managed IT services and RMM tools. The question now is simple: are you going to heed that warning, or are you going to be the next victim?
Pick up the phone. Schedule that meeting. Ask those hard questions. Because in the world of ransomware and supply chain attacks, paranoia isn't a bug - it's a feature. And right now, we all need to be a lot more paranoid about the tools we trust with the keys to our digital kingdoms.
The clock is ticking, and DragonForce is just getting started. What are you going to do about it?
