Threat Actors Leverage RMM Tools to Deploy Medusa & DragonForce Ransomware

A sophisticated wave of ransomware attacks targeting UK organizations has emerged in 2025, exploiting vulnerabilities in the widely-used SimpleHelp Remote Monitoring and Management platform.

Two prominent ransomware groups, Medusa and DragonForce, have weaponized three critical vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to gain unauthorized access through trusted third-party vendors and Managed Service Providers.

The attack campaigns demonstrate a concerning shift in ransomware tactics, where threat actors compromise supplier-controlled RMM infrastructure rather than directly targeting victim organizations.

By exploiting unpatched SimpleHelp instances running with SYSTEM-level privileges, attackers achieved comprehensive control over downstream customer networks with minimal resistance.

This supply chain approach allows adversaries to bypass traditional perimeter defenses and leverage the inherent trust between organizations and their service providers.

Zensec security researchers identified these coordinated campaigns after investigating multiple intrusions across the first and second quarters of 2025.

The Medusa ransomware group struck first in Q1 2025, deploying their malicious payloads through compromised MSP environments.

Following a similar playbook, DragonForce launched their offensive in Q2 2025, targeting organizations through the same vulnerable RMM infrastructure.

Both groups demonstrated advanced operational capabilities, combining automated deployment tools with hands-on keyboard techniques to maximize impact.

The financial and operational consequences have been severe for affected organizations. Beyond system encryption, both threat actor groups engaged in double extortion tactics, exfiltrating sensitive corporate data before deploying ransomware.

Victims faced not only the immediate disruption of encrypted systems but also the threat of data exposure on dark web leak sites, compelling organizations to navigate complex decisions regarding ransom payments and public disclosure.

Attack Execution and Defense Evasion Techniques

Once inside victim networks through the compromised SimpleHelp platform, both ransomware groups deployed sophisticated toolsets to disable security protections and establish persistence.

The Medusa group leveraged PDQ Deploy to push PowerShell commands that systematically dismantled Microsoft Defender protections across the environment.

The attackers executed base64-encoded commands to add exclusion paths and disable real-time monitoring:-

Add-MpPreference -ExclusionPath "C:"
Set-MpPreference -MAPSReporting Disable
Set-MpPreference -DisableRealtimeMonitoring $true

The encoded PowerShell payload delivered through PDQ Deploy, while the decoded version reveals the defense disabling commands.

Besides this, the specific Defender exclusion modifications implemented by the threat actors.

The Medusa group deployed their ransomware payload, identified as “Gaze.exe,” alongside specialized drivers including Smuot.sys and CSAgent.sys to further inhibit antivirus products.

Researchers have linked these drivers to the Abyssworker toolkit, a known security evasion framework.

DragonForce operators took a different approach, creating local administrator accounts named “admin” and installing AnyDesk for persistent remote access.

They also targeted Veeam backup servers using the Get-Veeam-Creds.ps1 script to extract plaintext credentials from SQL password stores, effectively compromising backup recovery capabilities.

Data exfiltration methods varied between the groups. Medusa utilized RClone, cleverly renamed to “lsp.exe” to evade detection signatures, with filtering parameters designed to transfer files under 1500MB and older than 1500 days.

DragonForce employed Restic, an open-source backup tool, to transfer stolen data to Wasabisys S3-compatible cloud storage endpoints.

Following encryption, Medusa systems displayed the “.MEDUSA” file extension with ransom notes titled “!!!READ_ME_MEDUSA!!!.txt,” while DragonForce appended “*.dragonforce_encrypted” extensions and left “readme.txt” notes on affected machines.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.