SimpleHelp

Groups linked with the Play ransomware have exploited more than 900 organizations, including exploiting a security flaw in the remote-access tool SimpleHelp if not patched. The ransomware operators use double-extortion techniques, stealing and encrypting sensitive data, then threatening to release it unless ransom is paid. The criminals gain access through various means, including stolen credentials and exploiting old vulnerabilities. The FBI warns that multiple ransomware groups have exploited this flaw, leading to significant data breaches and potential financial losses.

Source: https://www.theregister.com/2025/06/04/play_ransomware_infects_900_victims/

TPRM report: https://scoringcyber.rankiteo.com/company/simplehelp-ltd

"id": "sim358060525",
"linkid": "simplehelp-ltd",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'location': 'United States'}],
 'attack_vector': ['Stolen Credentials',
                   'Remote Desktop Protocol (RDP)',
                   'Virtual Private Networks (VPN)',
                   'Exploiting Vulnerabilities'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'type_of_data_compromised': 'Sensitive Data'},
 'date_publicly_disclosed': '2023-06-04',
 'description': 'Groups linked with the Play ransomware have exploited more '
                'than 900 organizations, using various techniques including '
                'exploiting a security flaw in remote-access tool SimpleHelp '
                "if organizations haven't patched it.",
 'impact': {'data_compromised': 'Sensitive Data'},
 'initial_access_broker': {'entry_point': ['Stolen Credentials',
                                           'RDP',
                                           'VPN',
                                           'Exploiting Vulnerabilities']},
 'motivation': 'Financial Gain',
 'post_incident_analysis': {'corrective_actions': ['Patching vulnerabilities',
                                                   'Strengthening credentials',
                                                   'Monitoring for unusual '
                                                   'activity'],
                            'root_causes': ['Exploiting Vulnerabilities',
                                            'Using Stolen Credentials',
                                            'Remote Access Tools']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Play'},
 'recommendations': ['Patch vulnerabilities',
                     'Use strong credentials',
                     'Monitor for unusual activity'],
 'references': [{'date_accessed': '2023-06-04',
                 'source': 'FBI, Cybersecurity and Infrastructure Security '
                           "Agency, and Australian Signals Directorate's Cyber "
                           'Security Centre'}],
 'response': {'law_enforcement_notified': True},
 'threat_actor': 'Play Ransomware Operators',
 'title': 'Play Ransomware Campaign',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2018-13379',
                             'CVE-2020-12812',
                             'CVE-2022-41040',
                             'CVE-2022-41082',
                             'CVE-2024-57727']}

SimpleHelp

IES Communications

Intel

Marks & Spencer