Ransomware Scum Disrupted Utility Services with SimpleHelp Attacks

Ransomware criminals infected a utility billing software providers’ customers, and in some cases disrupted services, after exploiting unpatched versions of SimpleHelp’s remote monitoring and management (RMM) tool, according to a Thursday CISA alert.

This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025. The security advisory warned that ransomware actors likely exploited CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents.

CVE-2024-57727 is a high-severity path traversal vulnerability that affects SimpleHelp 5.5.7 and prior versions. The vendor fixed the hole in January, but ransomware crews reportedly exploited unpatched versions.

The cyber-defense agency’s warning follows a similar advisory from the feds, issued last week, about Play ransomware gang members exploiting the same SimpleHelp security flaw in double-extortion attacks. Those incidents involve criminals first stealing sensitive data, then encrypting victims’ files, before threatening to release the stolen information online unless the victims pay up.

To read the complete article see: The Register