Ransomware Groups Leverage Unpatched SimpleHelp Vulnerabilities to Execute Double Extortion Schemes Against Targets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances, compromising the customers of an undisclosed utility billing software provider.

This incident highlights a broader trend where ransomware actors have targeted organizations through unpatched versions of SimpleHelp RMM since early 2025, according to a CISA advisory.

Earlier this year, SimpleHelp reported a set of vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution.

These vulnerabilities have faced repeated exploitation in the wild, including by ransomware groups such as DragonForce. Notably, a Managed Service Provider’s instance of SimpleHelp was accessed using these flaws, allowing attackers to pivot to other downstream customers.

CISA indicated that SimpleHelp versions 5.5.7 and earlier harbor multiple vulnerabilities, including CVE-2024-57727. Ransomware groups exploit these vulnerabilities to access unpatched SimpleHelp instances belonging to downstream customers, facilitating double extortion attacks.

The agency has outlined several crucial mitigations that organizations, particularly third-party service providers utilizing SimpleHelp to connect with downstream customers, should implement to effectively combat ransomware activity:

• Isolate SimpleHelp server instances from the internet and ensure they are updated to the latest version.
• Notify downstream customers and guide them in securing their endpoints.
• Conduct threat hunting for indicators of compromise and monitor for unusual inbound and outbound traffic from the SimpleHelp server for downstream customers.
• Disconnect affected systems from the internet if they have been encrypted by ransomware, reinstall the operating system, and restore data from a secure backup.
• Maintain regular, clean, offline backups.
• Avoid exposing remote services such as Remote Desktop Protocol (RDP) on the web.

CISA warns against paying ransoms, as there is no assurance that the decryptor provided by threat actors will successfully recover the encrypted files. Additionally, making payments may encourage adversaries to target more organizations, promote other criminal actors to engage in ransomware distribution, and potentially fund illicit activities.

In a related development, Broadcom-owned Symantec has detailed a Fog ransomware attack that targeted an unnamed financial institution in Asia. This attack utilized a combination of dual-use and open-source penetration testing tools not commonly seen in other ransomware-related intrusions.

Fog is a ransomware variant first detected in May 2024, engaging in typical ransomware operations by leveraging compromised virtual private network (VPN) credentials and exploiting system vulnerabilities to access organizational networks and encrypt data, while also exfiltrating it first.

Alternate infection methods have involved deploying Windows shortcut files contained in ZIP archives distributed through emails and phishing attempts. Executing the shortcut file initiates a PowerShell script that downloads a ransomware loader with the Fog locker payload.

The attacks also exhibited advanced techniques for privilege escalation and evasion of detection, including executing malicious code directly in memory and disabling security tools. Fog is designed to target both Windows and Linux endpoints.

According to Trend Micro, by April 2025, the Fog threat actors had claimed approximately 100 victims on their data leak site, with the majority linked to the technology, education, manufacturing, and transportation sectors.

Interestingly, the attackers employed legitimate employee monitoring software named Syteca (previously Ekran), which is a rare choice in ransomware operations. Symantec reported that the attackers also utilized various open-source penetration testing tools, such as GC2 and Adaptix, which are atypical for ransomware attacks.

While the precise initial access vector remains unidentified, threat actors have been found to leverage Stowaway, a proxy tool favored by certain hacking groups, to deliver Syteca. Moreover, they have been observed downloading legitimate programs like 7-Zip and Freefilesync to create compressed data archives for data exfiltration.

Another noteworthy aspect of these attacks is that the attackers established a service for persistent network access several days after the ransomware deployment. This extended activity is atypical, as malicious operations typically halt after data exfiltration and ransomware deployment. In this scenario, it appears the attackers sought to maintain access to the victim’s network.

The unusual tactics suggest that espionage may have been a factor in the targeting of this company, possibly leading the threat actors to deploy Fog ransomware either as a distraction to conceal their primary objectives or as an opportunistic financial gain.

Further analysis of the LockBit ransomware-as-a-service (RaaS) scheme reveals that it garnered approximately $2.3 million within the last six months, indicating its persistence amid various setbacks.

Trellix’s examination of LockBit’s geographic targeting from December 2024 to April 2025, following a significant admin panel leak in May 2025, disclosed that China is one of the most frequently targeted nations by affiliates such as Iofikdis, PiotrBond, and JamesCraig. Other prominent targets include Taiwan, Brazil, and Turkey.

The focus on China suggests a noteworthy market concentration, potentially driven by its substantial industrial footprint and manufacturing sector. Unlike other ransomware groups that may intermittently probe Chinese targets without encryption, LockBit seems willing to operate within China’s borders, demonstrating a notable divergence in their strategy.

The affiliate panel leak prompted LockBit to issue a monetary reward for verifiable information about an anonymous individual responsible for the leak. Additionally, it seems LockBit has benefited from the recent discontinuation of RansomHub, causing some affiliated actors to migrate to LockBit and compelling it to resume operations as it develops the forthcoming version, LockBit 5.0.

This leak illuminates the complex reality of ransomware operations, underscoring that while they can be lucrative, they are far from being the perfectly synchronized ventures that their operators might project to the world.