Saturday, June 14, 2025
Latest:
The Register

Ransomware scum disrupted utility services with SimpleHelp attacks

TH Author

Ransomware criminals infected a utility billing software providers’ customers, and in some cases disrupted services, after exploiting unpatched versions of SimpleHelp’s remote monitoring and management (RMM) tool, according to a Thursday CISA alert.

“This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025,” the security advisory warned. “Ransomware actors likely exploited CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents.”

CVE-2024-57727 is a high-severity path traversal vulnerability that affects SimpleHelp 5.5.7 and prior versions. The vendor fixed the hole in January, but ransomware crews reportedly exploited unpatched versions.

The cyber-defense agency’s warning follows a similar advisory from the feds, issued last week, about Play ransomware gang members exploiting the same SimpleHelp security flaw in double-extortion attacks. Those incidents see criminals first steal sensitive data, then encrypt victims’ files, before threatening to release the stolen information online unless the victims pay up.

Play ransomware was among the top five targeting critical infrastructure last year.

CISA’s very brief advisory encourages organizations using SimpleHelp’s remote-access tool to search for evidence of compromise and patch CVE-2024-57727 if they haven’t already.

Neither SimpleHelp nor CISA immediately responded to The Register‘s inquiries regarding the scope and scale of attacks abusing the remote-management software. We will update this story if we receive responses.

The CISA advisory also follows an earlier report about DragonForce ransomware infecting a managed service provider and its customers after exploiting CVE-2024-57727.

In addition to deploying their encryptor across multiple endpoints, the criminals also stole sensitive data and double-extortion tactics to pressure the victims into paying a ransom. ®

READ MORE HERE