SimpleHelp: Crazy ransomware gang abuses employee monitoring tool in attacks

Crazy Ransomware Gang Exploits Legitimate Tools for Stealthy Network Infiltration

Researchers at Huntress have uncovered a campaign by the Crazy ransomware gang, which abuses legitimate employee monitoring software and remote support tools to maintain persistence in corporate networks, evade detection, and prepare for ransomware attacks.

In multiple intrusions, threat actors deployed Net Monitor for Employees Professional a legitimate monitoring tool alongside SimpleHelp, a remote access platform, to blend in with normal administrative activity. Attackers installed Net Monitor via Windows Installer (msiexec.exe), enabling them to remotely view desktops, transfer files, and execute commands on compromised systems. They also attempted to activate the local administrator account using the command net user administrator /active:yes.

For redundant access, the attackers installed SimpleHelp via PowerShell, often disguising the binary with filenames mimicking legitimate software, such as OneDriveSvc.exe or vshost.exe (a Visual Studio-related file). This ensured persistence even if the monitoring tool was removed.

In one case, the hackers configured SimpleHelp to trigger alerts when devices accessed cryptocurrency wallets or remote management tools, likely preparing for ransomware deployment or cryptocurrency theft. Monitored keywords included wallet services (MetaMask, Exodus), exchanges (Binance, Bybit), and remote access tools (RDP, AnyDesk, TeamViewer).

The attackers also disabled Windows Defender by stopping and deleting associated services, further reducing detection risks. While only one incident resulted in Crazy ransomware deployment, Huntress linked both cases to the same threat actor, citing reused filenames (vhost.exe) and overlapping command-and-control infrastructure.

The use of legitimate remote management tools has become a common tactic in ransomware attacks, allowing threat actors to evade security measures by blending in with normal traffic. Both breaches originated from compromised SSL VPN credentials, highlighting the need for stronger authentication controls.

Source: https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/

SimpleHelp Ltd cybersecurity rating report: https://www.rankiteo.com/company/simplehelp-ltd

"id": "SIM1770839636",
"linkid": "simplehelp-ltd",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'type': 'Corporate networks'}],
 'attack_vector': 'Compromised SSL VPN credentials',
 'data_breach': {'data_exfiltration': 'Potential (monitored cryptocurrency '
                                      'wallet access)'},
 'description': 'Researchers at Huntress uncovered a campaign by the Crazy '
                'ransomware gang, which abuses legitimate employee monitoring '
                'software and remote support tools to maintain persistence in '
                'corporate networks, evade detection, and prepare for '
                'ransomware attacks. The attackers deployed Net Monitor for '
                'Employees Professional and SimpleHelp to blend in with normal '
                'administrative activity, enabling remote desktop viewing, '
                'file transfers, and command execution. They also disabled '
                'Windows Defender and used compromised SSL VPN credentials for '
                'initial access.',
 'impact': {'operational_impact': 'Remote command execution, persistence in '
                                  'corporate networks'},
 'initial_access_broker': {'backdoors_established': 'Net Monitor for Employees '
                                                    'Professional, SimpleHelp',
                           'entry_point': 'Compromised SSL VPN credentials',
                           'high_value_targets': 'Cryptocurrency wallets, '
                                                 'remote management tools'},
 'investigation_status': 'Ongoing (researchers linked multiple intrusions to '
                         'the same threat actor)',
 'lessons_learned': 'Use of legitimate remote management tools can evade '
                    'detection; stronger authentication controls (e.g., MFA) '
                    'are needed for SSL VPN access.',
 'motivation': 'Financial gain (ransomware deployment, cryptocurrency theft)',
 'post_incident_analysis': {'corrective_actions': ['Implement MFA for VPN '
                                                   'access',
                                                   'Monitor for unusual use of '
                                                   'remote access tools',
                                                   'Enhance detection of '
                                                   'Windows Defender '
                                                   'tampering'],
                            'root_causes': ['Compromised SSL VPN credentials',
                                            'Abuse of legitimate remote access '
                                            'tools']},
 'ransomware': {'data_exfiltration': 'Potential (monitored cryptocurrency '
                                     'wallet access)',
                'ransomware_strain': 'Crazy ransomware'},
 'recommendations': ['Implement multi-factor authentication (MFA) for SSL VPN '
                     'access',
                     'Monitor for unusual use of legitimate remote access '
                     'tools',
                     'Enhance detection of Windows Defender tampering',
                     'Segment networks to limit lateral movement'],
 'references': [{'source': 'Huntress'}],
 'response': {'third_party_assistance': 'Huntress (researchers)'},
 'threat_actor': 'Crazy ransomware gang',
 'title': 'Crazy Ransomware Gang Exploits Legitimate Tools for Stealthy '
          'Network Infiltration',
 'type': 'Ransomware'}