In June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that ransomware actors have been actively exploiting unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to carry out double extortion attacks.
What happened
These exploits targeted customers of an unnamed utility billing software provider, marking an escalation in a trend observed since January 2025. The attackers took advantage of flaws disclosed earlier in the year, CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, which allow for information disclosure, privilege escalation, and remote code execution.
The ransomware group DragonForce was among those who abused these vulnerabilities. One reported incident involved a Managed Service Provider whose SimpleHelp instance was compromised and then used to access downstream customer systems. Concurrently, a separate and sophisticated attack by the Fog ransomware group was uncovered by Symantec, targeting a financial institution in Asia using stolen VPN credentials, phishing emails with malicious LNK files, and employee monitoring software Syteca.
These attacks were part of a broader campaign seen since May 2024, involving dual-use tools like Adaptix, Stowaway, and GC2, tools sometimes linked to Chinese hacking groups such as APT41. Meanwhile, analysis of LockBit ransomware operations between December 2024 and April 2025, based on a leaked admin panel in May 2025, revealed China, Taiwan, Brazil, and Turkey as key targets, with affiliates like Iofikdis, PiotrBond, and JamesCraig leading the activity. LockBit also benefited from the March 2025 shutdown of rival group RansomHub.
What was said
According to the CISA advisory, “This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.”
Why it matters
Ransomware groups like DragonForce and Fog don’t just encrypt files anymore; they steal data first, then threaten to leak it for double extortion. They even slip in legitimate employee‑monitoring software (Syteca) and advanced proxy tools (Stowaway, GC2) to hide their tracks and stay inside a network for weeks. These tactics represent a new era of cybercrime where criminal crews borrow state‑of‑the‑art spy techniques, exploit every weak patch, and treat every victim as a high‑value target.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is double extortion in ransomware attacks?
Double extortion is a tactic where attackers not only encrypt a victim's data but also steal it.
How is double extortion different from traditional ransomware?
Traditional ransomware focused on file encryption and demanded payment for a decryption key. Double extortion adds a second layer, making the consequences of refusal far more damaging, including public leaks, reputational harm, or regulatory penalties.
How do ransomware attacks start?
Most attacks begin through phishing emails, malicious links, compromised credentials (like VPN or RDP access), or unpatched software vulnerabilities, like those in SimpleHelp.
Kirsten Peremore
