The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over active exploitation of SimpleHelp Remote Monitoring and Management (RMM) vulnerabilities, which have been leveraged by ransomware groups to breach downstream customers of an unnamed utility billing software provider.
According to the advisory, threat actors are exploiting unpatched SimpleHelp versions (5.5.7 and earlier) to gain remote access, pivot across networks, and conduct double extortion attacks. The flaws, including CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow for information disclosure, privilege escalation, and remote code execution.
One observed case involved ransomware actors accessing a Managed Service Provider’s SimpleHelp instance to reach multiple customer networks.
🛡️ CISA Recommends Immediate Actions:
- Isolate and update all SimpleHelp instances from public-facing exposure
- Alert downstream customers and guide them in securing their endpoints
- Perform threat hunting for indicators of compromise and unusual traffic
- Reinstall infected systems and restore from offline clean backups
- Avoid exposing RDP and other remote services to the internet
- Do not pay ransoms, as it emboldens threat actors and may not guarantee recovery
Fog Ransomware: Advanced Tactics Blend Espionage and Financial Motives
In a separate incident, Fog ransomware was deployed against a financial institution in Asia, demonstrating a blend of espionage-like tactics with traditional ransomware operations.
Detected in May 2024, Fog is capable of attacking both Windows and Linux environments, often gaining access via VPN credential abuse or exploiting vulnerabilities. Notably, one observed intrusion used a ZIP file with a malicious LNK shortcut, triggering PowerShell-based payload delivery.
The attackers demonstrated:
- In-memory execution and security tool evasion
- Use of dual-purpose tools like Syteca (formerly Ekran) for employee monitoring
- Deployment of open-source tools such as GC2, Stowaway, and Adaptix
- Stowaway was used to deliver the legitimate Syteca installer, likely as part of a persistence strategy
Fog’s operators spent over two weeks inside the compromised network, creating services for long-term access—even after data encryption, an unusual step for ransomware crews, raising speculation about underlying espionage motives.
LockBit Leak Reveals China Among Top Targets
Meanwhile, new analysis of a leaked LockBit RaaS affiliate panel reveals that China, Taiwan, Brazil, and Turkey were among the most targeted countries between December 2024 and April 2025.
The affiliate usernames behind these campaigns included Iofikdis, PiotrBond, and JamesCraig, and the LockBit operation is estimated to have netted $2.3 million from 156 victims during the period.
This is notable, as other ransomware groups like Conti and Black Basta typically avoid encrypting Chinese systems. In contrast, LockBit shows little hesitation in operating within Chinese borders, suggesting a shift in geopolitical risk tolerance.
Additional insights from the leak:
- LockBit 4.0 supports Windows, Linux, and ESXi ransomware builds
- Victim negotiation panels and affiliate support tools were exposed
- A bounty was issued by LockBit for information on a leaker known as “xoxo from Prague”
The affiliate defection from RansomHub in March 2025 is believed to have contributed to LockBit’s resurgence, as displaced operators transitioned to LockBit, accelerating its development of LockBit 5.0.
đź“Ś SecurityX Insight
These developments underscore a rising trend of supply chain abuse, persistence-focused ransomware, and affiliate-driven chaos in the RaaS landscape. As threat actors evolve their techniques—blending espionage, financial extortion, and long-term access—the line between nation-state tactics and criminal operations continues to blur.
Organizations are urged to patch RMM software promptly, adopt least privilege models, and monitor for dual-use tool usage and unusual persistence behaviors—especially when ransomware appears to be only part of the attack.
