SimpleHelp, a widely used **Remote Monitoring and Management (RMM)** platform by MSPs and vendors, became the entry point for a **sophisticated supply-chain ransomware attack** in early 2025. Exploiting three critical unpatched vulnerabilities (**CVE-2024-57726, CVE-2024-57727, CVE-2024-57728**), threat actors from **Medusa** and **DragonForce** ransomware groups weaponized SimpleHelp’s **SYSTEM-level privileges** to breach downstream UK organizations. Attackers leveraged the trusted RMM infrastructure to **bypass security controls**, deploy ransomware (e.g., *Gaze.exe*, *.dragonforce_encrypted*), and exfiltrate data using tools like **RClone** and **Restic**. Over **50% of incidents** involved **data theft**, targeting high-value assets (domain controllers, backups, financial/employee records). The attacks resulted in **operational disruptions**, **financial extortion via double-extortion leak sites**, and **reputational damage** due to public victim shaming. Patches were available but unapplied, exposing systemic failures in **third-party risk management** and **patch compliance**, with long-term consequences for affected MSPs and their clients.
Source: https://gbhackers.com/medusa-and-dragonforce/
SimpleHelp Ltd cybersecurity rating report: https://www.rankiteo.com/company/simplehelp-ltd
"id": "sim1332213111025",
"linkid": "simplehelp-ltd",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'United Kingdom',
'type': ['Managed Service Providers (MSPs)',
'UK Organizations (Downstream Customers)']}],
'attack_vector': ['Exploitation of RMM Software Vulnerabilities (SimpleHelp)',
'Trusted Third-Party Compromise',
'Lateral Movement via Legitimate Tools (PDQ, AnyDesk)',
'Living-off-the-Land Binaries (LOLBins)'],
'data_breach': {'data_encryption': 'Yes (AES/Other, Files Renamed with '
'`.MEDUSA` or `*.dragonforce_encrypted`)',
'data_exfiltration': 'Yes (50% of Medusa Incidents; '
'DragonForce Used Restic for Off-Site '
'Backups)',
'file_types_exposed': ['Documents',
'VHDX (Hyper-V)',
'Configuration Files',
'SQL Password Stores'],
'personally_identifiable_information': 'Likely (Based on '
'Targeted File '
'Filters)',
'sensitivity_of_data': 'High (Backup Credentials, High-Value '
'Targets)',
'type_of_data_compromised': ['User Files',
'Backup Credentials (Veeam)',
'System Configuration Data',
'Potentially PII']},
'description': 'Cybersecurity researchers at Zensec exposed a supply-chain '
'attack campaign where ransomware-as-a-service groups (Medusa '
'and DragonForce) exploited critical vulnerabilities in '
'SimpleHelp RMM software (CVE-2024-57726, CVE-2024-57727, '
'CVE-2024-57728) to breach UK organizations via managed '
'service providers (MSPs) in Q1-Q2 2025. The attacks '
'weaponized trusted RMM infrastructure, using tools like PDQ '
'Deploy, AnyDesk, and RClone/Restic for lateral movement, data '
'exfiltration, and ransomware deployment (extensions: '
'`.MEDUSA`, `*.dragonforce_encrypted`). Double extortion '
'tactics included leak sites with proof-of-life data samples.',
'impact': {'brand_reputation_impact': 'High (Public Leak Sites, Proof-of-Life '
'Data Exposure)',
'data_compromised': ['User Data (Files >1500 days old, <1500MB)',
'Backup Infrastructure (Veeam Credentials, '
'Hyper-V VHDX)',
'High-Value Targets (Domain Controllers, File '
'Servers)'],
'identity_theft_risk': 'Potential (PII in Exfiltrated Data)',
'operational_impact': ['Encryption of Critical Systems',
'Disruption of IT Management Tools',
'Loss of Backup Integrity'],
'systems_affected': ['SimpleHelp RMM Servers',
'Downstream MSP Customer Networks',
'Windows Endpoints',
'Backup Systems (Veeam)',
'Hyper-V Virtual Machines']},
'initial_access_broker': {'backdoors_established': ['Local Admin Accounts '
"(e.g., 'admin')",
'AnyDesk for Persistence '
'(DragonForce)'],
'entry_point': 'Compromised SimpleHelp RMM Servers '
'(Via CVE-2024-57726, '
'CVE-2024-57727, CVE-2024-57728)',
'high_value_targets': ['Domain Controllers',
'File Servers',
'Backup Infrastructure '
'(Veeam, Hyper-V)']},
'investigation_status': 'Ongoing (Zensec Analysis)',
'lessons_learned': '1. Supply-chain risks from trusted third-party tools '
'(RMM) can bypass perimeter defenses. 2. Patch management '
'failures enable exploitation of known vulnerabilities. 3. '
'Legitimate IT tools (PDQ, AnyDesk) can be weaponized for '
'lateral movement. 4. Backup systems (Veeam, Hyper-V) are '
'high-value targets for credential harvesting. 5. Double '
'extortion (encryption + leak sites) increases pressure on '
'victims.',
'motivation': 'Financial Gain (Ransom Payments, Data Extortion)',
'post_incident_analysis': {'corrective_actions': ['Mandate patch validation '
'for third-party RMM tools.',
'Enforce least-privilege '
'principles for RMM '
'software.',
'Isolate RMM servers in '
'segmented networks.',
'Monitor for anomalous use '
'of IT management tools '
'(PDQ, AnyDesk).',
'Hardening of backup '
'systems (Veeam credential '
'protection).'],
'root_causes': ['Unpatched SimpleHelp RMM '
'vulnerabilities despite available '
'fixes.',
'Overprivileged RMM tools '
'(SYSTEM-level access by default).',
'Trust in legitimate management '
'channels (MSP tools bypassing '
'security controls).',
'Insufficient segmentation between '
'MSP and customer networks.']},
'ransomware': {'data_encryption': 'Yes (`.MEDUSA` and '
'`*.dragonforce_encrypted` Extensions)',
'data_exfiltration': 'Yes (Double Extortion Model)',
'ransomware_strain': ['Medusa', 'DragonForce']},
'recommendations': ['Audit third-party remote access tools (RMM) for '
'vulnerabilities and misconfigurations.',
'Verify vendor patch status and prioritize updates for '
'critical RMM software.',
'Implement network segmentation to limit lateral movement '
'from RMM servers.',
'Enhance monitoring for unusual activity in RMM tools '
'(e.g., unexpected PDQ/AnyDesk usage).',
'Restrict RMM tools to least-privilege access (avoid '
'SYSTEM-level privileges by default).',
'Secure backup credentials (e.g., Veeam) with encryption '
'and access controls.',
'Deploy behavioral detection for tools like RClone/Restic '
'in unusual contexts.',
'Prepare for double extortion scenarios with incident '
'response playbooks.'],
'references': [{'source': 'Zensec Research Report'},
{'source': 'Medusa Leak Site'},
{'source': 'DragonForce Public Blog/Data Leak Site'}],
'response': {'enhanced_monitoring': 'Recommended (RMM Activity, Unusual Tool '
'Usage)',
'network_segmentation': 'Recommended (Post-Incident)',
'third_party_assistance': ['Zensec (Investigation)']},
'threat_actor': ['Medusa Ransomware Group',
'DragonForce Ransomware-as-a-Service (RaaS) Group'],
'title': 'Sophisticated Supply-Chain Ransomware Attacks via SimpleHelp RMM '
'Vulnerabilities (2025)',
'type': ['Supply-Chain Attack',
'Ransomware',
'Data Exfiltration',
'Double Extortion'],
'vulnerability_exploited': ['CVE-2024-57726',
'CVE-2024-57727',
'CVE-2024-57728']}