CISA Warns Ransomware Groups Targeting SimpleHelp RMM

CISA released a cybersecurity advisory warning that ransomware actors continue exploiting vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to compromise organizations through their managed service providers and software vendors. The advisory specifically calls out attacks against utility billing software providers—demonstrating how supply chain compromises ripple through critical infrastructure.

The exploitation pattern has been active since at least January 2025, with DragonForce ransomware actors identified as a primary threat. Organizations using SimpleHelp—or receiving services from vendors who use it—should treat this as an active threat requiring immediate attention.

What's Being Exploited

The core vulnerability is CVE-2024-57727, a path traversal flaw affecting SimpleHelp versions 5.5.7 and earlier. CISA added it to the Known Exploited Vulnerabilities catalog in February 2025, establishing a federal patching deadline that has long since passed.

Two additional vulnerabilities compound the risk:

• CVE-2024-57728: Arbitrary file upload vulnerability
• CVE-2024-57726: Privilege escalation vulnerability

Chained together, these flaws give attackers a path from unauthenticated access to full system compromise. SimpleHelp released patches, but organizations that haven't updated remain exposed.

The Supply Chain Attack Pattern

The attack pattern follows a now-familiar playbook. Ransomware operators don't target end victims directly. They compromise the software or services those victims depend on.

In this case, attackers compromise SimpleHelp instances at managed service providers or software vendors. SimpleHelp's RMM functionality provides legitimate remote access to customer systems—exactly the access ransomware operators want. Once inside a vendor's SimpleHelp deployment, attackers pivot to downstream customers.

CISA's advisory specifically references attacks against utility billing software providers. A successful compromise here cascades: the billing provider's customers—utilities and their ratepayers—face service disruptions. The attackers then leverage double extortion, threatening to publish stolen data alongside encrypting systems.

This pattern mirrors the Marquis Software breach that affected financial institutions through a third-party compromise.

DragonForce Attribution

CISA cites Sophos research identifying DragonForce as a primary actor exploiting SimpleHelp vulnerabilities. DragonForce has been active since at least mid-2024 and has claimed responsibility for attacks on major retail chains including Marks & Spencer and Co-op in the UK.

The group employs double extortion tactics, combining ransomware encryption with data theft and publication threats. Their targeting of MSPs and software vendors suggests operational maturity—they understand that supply chain attacks multiply impact.

Indicators of Compromise

CISA recommends organizations search for:

• Three-letter executable filenames: Files like aaa.exe, bbb.exe, or xyz.exe with creation dates after January 2025. This naming convention appears specific to these campaigns.

• Unusual SimpleHelp traffic: Inbound or outbound connections to SimpleHelp servers that don't match expected patterns.

• Evidence of lateral movement: Signs that attackers moved from SimpleHelp infrastructure to connected systems.

Organizations should conduct host and network vulnerability scans to verify their systems are clean, particularly if they've run SimpleHelp versions 5.5.7 or earlier at any point since January 2025.

Recommended Mitigations

If you're running vulnerable SimpleHelp versions:

1. Isolate immediately - Take the SimpleHelp server offline or stop the service
2. Upgrade - Apply the latest SimpleHelp security updates
3. Hunt for compromise - Search for the indicators above
4. Notify downstream customers - If you're a vendor, your customers need to know they may be at risk

Proactive measures:

1. Maintain offline backups - Store backup media on physically separate, air-gapped systems
2. Restrict RDP exposure - Don't expose Remote Desktop Protocol directly to the internet
3. Establish vendor communication - Know how your software vendors manage patching
4. Implement SBOM practices - Track what software—and what versions—you're running

If you've been encrypted:

1. Disconnect systems from the internet immediately
2. Reinstall operating systems from clean installation media
3. Restore only from backups you're confident weren't compromised
4. Report to CISA and the FBI

Why This Matters

RMM tools present a fundamental paradox for security. Organizations use them precisely because they provide remote access to systems—the same access attackers want. A compromised RMM deployment hands attackers legitimate credentials and established communication channels.

The SimpleHelp vulnerabilities have been known for over a year. Patches exist. Yet CISA felt compelled to issue this advisory because exploitation continues. That gap between patch availability and patch deployment is where ransomware operators operate.

For organizations that rely on third-party vendors using RMM tools, this advisory reinforces an uncomfortable truth: your security posture depends partly on your vendors' patching practices. Asking difficult questions about how vendors secure their management infrastructure isn't paranoia—it's prudent risk management.

The full CISA advisory (AA25-163A) is available at cisa.gov.