The US Cybersecurity and Infrastructure Security Agency (CISA) revealed Thursday that ransomware actors are targeting unpaid Simple Help Remote Monitoring and Management (RMM) instances to infringe customers of unnamed utility billing software providers.
“This incident reflects a broader pattern of ransomware actors targeting organizations through unearned versions of SimpleHelp RMM since January 2025,” the agency said in its recommendation.
Earlier this year, SimpleHelp uncovered a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution.
The vulnerabilities have since been repeatedly exploited in the wild, including ransomware groups like Dragon Force breaching targets of interest. Last month, Sophos revealed that the deployment of managed service provider SimpleHelp will use these flaws to access them from threat actors and leverage them to pivot to other downstream customers.
CISA said SimpleHelp version 5.5.7 and later contains multiple vulnerabilities, including CVE-2024-57727, which ransomware crews are taking advantage of to access unearned help instances of downstream customers due to double forced attacks.
The agency outlines the following mitigation that organizations that include third-party service providers who use SimpleHelp to connect to downstream customers can implement to better respond to ransomware activities:
- Identify and quarantine your SimpleHelp server instance from the internet and update it to the latest version
- Notify downstream customers and instruct them to take action to secure endpoints
- Perform threat hunting behaviors against compromise metrics and monitor abnormal inbound and outbound traffic from SimpleHelp servers (for downstream customers)
- Disconnect the affected system from the internet and if it is encrypted by ransomware, reinstall the operating system and restore data from a clean backup
- Maintain clean offline backups regularly
- Do not expose remote services such as Remote Desktop Protocol (RDP) on the web
The CISA said it does not encourage victims to pay ransom because there is no guarantee that resurrectors provided by threat actors will help recover their files.
“In addition, payments could spark enemies to target additional organizations and encourage other criminals to engage in ransomware distribution.
FOG Ransomware Attack deploys employee monitoring software
The development comes as Symantec, owned by Broadcom, detailed a fog ransomware attack targeting unnamed Asian financial institutions, combining dual use and open source pentting tools that have not been observed in other ransomware-related intrusions.
FOG is the ransomware variant first detected in May 2024. Like other ransomware operations, financially motivated crews adopt compromised virtual private network (VPN) credentials and system vulnerabilities to access an organization’s network and encrypt data.
Alternative infection sequences employ Windows Shortcuts (LNK) files contained in ZIP archives, which are then distributed via email and phishing attacks. Running the LNK file leads to downloading the PowerShell script responsible for removing the ransomware loader containing the FOG locker payload.
Attacks are also characterized by using advanced techniques to escalate privileges and avoid detection by deploying malicious code directly into memory and disabling security tools. Fog can target both Windows and Linux endpoints.
According to Trend Micro, as of April 2025, FOG threat actors had claimed 100 victims at data leak sites since the beginning of the year, with the majority of victims being linked to the technology, education, manufacturing and transportation sectors.
“The attackers used legitimate employee monitoring software called Syteca (formerly Ekran), which is very unusual,” Symantec said. “They also deployed several open source pentest tools from GC2, Adaptix, and Stowaway (GC2, Adaptix, and Stowaway), which are not commonly used during ransomware attacks.”
The exact initial access vector used in the incident is unknown, but it is known that threat actors use Stowaway, a proxy tool widely used by Chinese hacking groups to provide Syteca. It is worth noting that GC2 is being used in an attack carried out by the Chinese state-sponsored hacking group APT41 in 2023.
I also downloaded legitimate programs such as 7-zip, freefilesync, and megasync to create a compressed data archive for data delamination.
Another interesting aspect of the attack is that several days after the ransomware was deployed, the attacker created a service to establish persistence on the network. Threat officials are said to have spent about two weeks before dropping the ransomware.
“This is an extraordinary step to seeing in ransomware attacks, and when an attacker removes data and deploys ransomware, malicious activity usually stops on the network, but the attackers in this incident seem to want to maintain access to the victim’s network.”
An unusual tactic has raised the possibility that the company could have been targeted for spying reasons, and that threat actors deployed fog ransomware as a distraction to hide their true goals or to make some quick money on the side.
Lockbit Panel Leak reveals that China is the most targeted
The findings also coincide with the revelation that the Lockbit Ransomware-a-Service (RAAS) scheme has won around $2.3 million within the last six months, indicating that the e-rym group continues to work despite several set-offs.
Furthermore, Trellix’s analysis of rockbit geographic targeting from December 2024 to April 2025, based on the May 2025 admin panel leak, revealed that China is one of the most critically targeted countries by Aophikudis, Piotlbond and James Scraig. Other notable targets include Taiwan, Brazil and Türkiye.
“The concentration of attacks in China suggests that there is a major focus on this market, probably due to its large industrial base and manufacturing sector,” said security researcher Jambourg Trolognov.
“Unlike the Black Busta and Contillers groups, unlike the groups that sometimes probe Chinese targets without encrypting, Lockbit appears willing to operate within China’s boundaries, ignore potential political consequences and mark interesting differences in their approach.”
Affiliate panel leaks urged Lockbit to announce financial rewards for verifiable information about “Xoxo from Prague,” an anonymous actor who claimed responsibility for the leak.
In addition to that, Lockbit appears to be benefiting from the sudden cancellation of Ransomhub towards the end of March 2025, causing some of the latter affiliates, including Baleybeach and Guillaumeatkinson, to force it to move to Lockbit and re-activate its operations in an ongoing effort to develop the next version of Ransomwear 5.0.
“What this leak really shows is the complex and ultimately unattractive reality of their illegal ransomware activities. It’s profitable, but it’s far from a fully organized, large-scale lucrative operation,” concluded Tororonov.
