Date: 11/12/2025
Severity: High
Summary
In early 2025, researchers identified a surge of ransomware attacks abusing the SimpleHelp Remote Monitoring and Management (RMM) platform, widely used by MSPs and software vendors. Threat groups such as Medusa and DragonForce exploited three vulnerabilities — CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 — to infiltrate downstream customer networks. By compromising RMM servers running with SYSTEM privileges, attackers gained full administrative control. They then executed network discovery, disabled security tools, and exfiltrated data using RClone and Restic. Finally, they encrypted victim systems, completing a coordinated ransomware campaign.
Indicators of Compromise (IOC) List
IP Address : | 213.183.63.41 179.60.146.40 91.191.209.110 |
Hash : | df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851
b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505
89d473ad486e144f3c71ad95ed6016248613fc33d76792e8632206cea86ecfdd
aea8f85e569443a8c00b94fa19b5155b9122183f05bedfdcdccd1d18451760fd
e414f781c73f6984158f5d12af9f89c57d993e8db0322ebc0da346179a8b9e2d
98394683d8f30ce9fb313100f593dc16e97a52723b18d534cf586391a97cdc1d
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1: | dstipaddress IN ("91.191.209.110","179.60.146.40","213.183.63.41") or srcipaddress IN ("91.191.209.110","179.60.146.40","213.183.63.41") |
Detection Query 2 : | sha256hash IN ("df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851","e414f781c73f6984158f5d12af9f89c57d993e8db0322ebc0da346179a8b9e2d","b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505","89d473ad486e144f3c71ad95ed6016248613fc33d76792e8632206cea86ecfdd","aea8f85e569443a8c00b94fa19b5155b9122183f05bedfdcdccd1d18451760fd","98394683d8f30ce9fb313100f593dc16e97a52723b18d534cf586391a97cdc1d")
|
Reference:
https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks/