Ransomware Gangs Exploiting Vulnerabilities in SimpleHelp

Overview of the Threat

Recent findings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reveal a troubling trend: ransomware groups are increasingly targeting unpatched versions of SimpleHelp Remote Monitoring and Management (RMM) software. This tactic is creating significant risks for clients of specific utility billing software providers. According to CISA, the exploitation of these vulnerabilities has been ongoing since January 2025.

Vulnerabilities in SimpleHelp Software

Earlier this year, SimpleHelp acknowledged several critical flaws within its software, marked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. These vulnerabilities pose serious risks, including potential information disclosure, unauthorized privilege escalation, and remote code execution. Ransomware groups, notably DragonForce, have exploited these flaws to access their targets effectively. In fact, a recent report from Sophos disclosed that threat actors gained entry into a Managed Service Provider’s SimpleHelp setup and then used that access to reach downstream customers.

Specific Affected Versions

CISA points out that SimpleHelp versions 5.5.7 and earlier are particularly vulnerable. Ransomware operators are using these weaknesses to conduct double-extortion attacks, where they not only encrypt data but also demand ransom for its return. This multi-faceted approach amplifies the potential damages for organizations that fail to update their software.

Recommended Mitigation Strategies

To combat these rising threats, CISA has recommended several actionable steps for organizations, especially those utilizing SimpleHelp for client connections:

• Isolate Vulnerable Servers: It’s crucial to identify and remove SimpleHelp server instances from internet exposure and update them to the latest version.
• Inform Customers: Organizations should promptly notify downstream clients, guiding them to secure their systems proactively.
• Conduct Threat Monitoring: Engaging in threat-hunting activities to identify indicators of compromise and monitoring unusual traffic is critical.
• Isolate Affected Systems: If a ransomware attack has occurred, disconnect affected systems and restore them using clean backups after reinstalling the operating system.
• Maintain Backup Protocols: Regularly scheduled, offline backups are vital for data recovery.
• Limit Remote Services Exposure: Organizations should avoid exposing remote services, such as Remote Desktop Protocol (RDP), to the internet.

CISA strongly advises against paying ransoms, emphasizing that such actions may not guarantee data recovery and could inadvertently support further criminal activities.

Fog Ransomware: A Disturbing New Tactic

In other developments, security firm Broadcom’s Symantec has reported a Fog ransomware attack that targeted a financial institution in Asia. This attack showcased a unique use of employee monitoring software alongside standard ransomware tactics. Fog ransomware, initially detected in May 2024, employs both compromised VPN credentials and software vulnerabilities to infiltrate networks, encrypt sensitive data, and exfiltrate it before the encryption takes place.

Attack Vector and Execution

The attackers have utilized Windows shortcut files within ZIP archives to gain entry, primarily through phishing emails. Launching these shortcuts triggers a PowerShell script that introduces the ransomware loader. Notably, the Fog ransomware also demonstrates advanced techniques aimed at privilege escalation and evading detection mechanisms by executing malicious code directly in-memory.

Trend Micro reveals that Fog has claimed around 100 victims since the beginning of 2025, predominantly from the technology, education, manufacturing, and transportation sectors.

Targeting Techniques and Implications

The unusual choice of leveraging legitimate employee monitoring software, such as Syteca, raises questions about the attackers’ intentions—whether their agenda extends beyond mere financial gain toward potential corporate espionage. Researchers believe this sophisticated method indicates a lingering intention to retain network access after deploying the ransomware.

LockBit Ransomware Insights

The LockBit ransomware-as-a-service (RaaS) initiative continues to thrive, reportedly amassing around $2.3 million over the past six months. Recent investigations into LockBit’s affiliate activities indicate that China is among the top targeted countries, with significant focus also placed on Taiwan, Brazil, and Turkey. This trend elevates concerns about operational tactics that might disregard potential political ramifications—unlike other groups that occasionally target Chinese interests without encryption.

Affiliate Dynamics and Operations

The dynamics within LockBit have shifted following the discontinuation of RansomHub, prompting several affiliates to join LockBit’s operations. The ongoing development of LockBit 5.0 suggests the group remains active, adapting and evolving despite setbacks.

In summary, the myriad of tactics employed by ransomware actors reflects a growing complexity in cyber threats. Organizations and security professionals must remain vigilant and proactive, ensuring they adopt comprehensive security measures to protect against these evolving dangers.