Ransomware Shifts: SimpleHelp RMM Exploited for Double Extortion, Fog Blurs Lines Between Cybercrime and Espionage
Do Son 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an official warning: threat actors are actively exploiting vulnerable versions of SimpleHelp, a remote monitoring and administration tool widely used by IT service providers. One such attack targeted an unnamed vendor involved in utility billing—an incident that, as it turns out, is not isolated, but indicative of a broader and increasingly aggressive trend.
According to CISA, since January 2025, attacks on unsecured SimpleHelp deployments have become systematic. Cybercriminals are leveraging long-patched but still widely unupdated vulnerabilities to infiltrate the infrastructure of targeted companies—especially those that operate through complex contractor and MSP (Managed Service Provider) networks.
Earlier this year, the developers of SimpleHelp disclosed three critical vulnerabilities: CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. These flaws present grave risks for those who have delayed patching, as they enable data exfiltration, privilege escalation, and even remote code execution—effectively granting attackers full control over compromised systems.
One of the most notable abuses of these vulnerabilities occurred recently. Sophos documented a case where unknown actors compromised a SimpleHelp server belonging to an MSP and used it as a launchpad to infiltrate client networks. This technique enabled a cascading infection chain, allowing the attackers to move laterally within a partner ecosystem.
Particularly vulnerable are deployments running version 5.5.7 and earlier, where the CVE-2024-57727 exploit resides. CISA emphasizes that these attacks are not limited to direct targets—the threat extends to their clients as well, via the same outdated software instances deployed at the edge. The attackers employ double extortion tactics: first exfiltrating data, then encrypting infrastructure, and finally threatening to leak the stolen information if a ransom is not paid.
To mitigate the risks, CISA recommends several immediate actions. First, isolate vulnerable servers from the internet and update them to the latest version. Second, promptly notify all dependent clients and provide them with guidance to harden their endpoints. Proactive threat hunting is also essential—review event logs and monitor for suspicious inbound and outbound traffic, especially involving SimpleHelp.
If a compromise is suspected or confirmed, the agency advises disconnecting affected systems from the network immediately, reinstalling the operating system, and restoring data only from verified offline backups. The emphasis is on isolation, as network-based backups are often also compromised by ransomware. Additionally, remote access services like RDP should never be left exposed—these remain a primary point of entry for adversaries.
CISA’s stance on ransom payments remains unchanged: do not pay. Not only does payment not guarantee data recovery, but it also reinforces the attack model, financially fueling and legitimizing future campaigns—potentially even more destructive ones.
While some groups continue to focus on large-scale extortion, others are deploying ransomware more strategically—as a smokescreen for espionage. This was the case in an operation detailed by Symantec, involving an attack dubbed Fog against an unnamed financial institution in Asia.
Fog is a relatively new actor on the threat landscape, first detected in May 2024. Its methods are familiar: compromised VPN credentials and known vulnerabilities are used to penetrate networks, exfiltrate data, and only then encrypt infrastructure. However, this particular campaign deviated from traditional playbooks in notable ways.
One alternate infection vector was ZIP archives containing malicious Windows shortcuts (.LNK files), distributed via phishing emails. When activated, the shortcut executed a PowerShell script that fetched a loader and delivered the Fog ransomware payload.
The attackers spared no expense in sophistication, employing an arsenal of advanced techniques—from privilege escalation to in-memory code injection that bypasses file-based detection mechanisms. The malware targets both Windows and Linux environments.
According to Trend Micro, the group behind Fog claims to have compromised over 100 organizations to date, primarily within the technology, education, industrial, and transportation sectors, with a geographic focus on Asia.
One of the campaign’s more unconventional aspects was the use of legitimate employee-monitoring software—Syteca (formerly Ekran)—integrated into the infected infrastructure to observe personnel activity in real time. Additionally, several open-source penetration testing tools were deployed, including GC2, Adaptix, and Stowaway.
Stowaway, in particular, is a proxy tool commonly used by Chinese threat groups. Researchers believe it was the conduit through which Syteca was distributed. GC2, notably, has been previously linked to APT41, a state-sponsored group associated with the Chinese government.
The attackers also utilized legitimate utilities such as 7-Zip, FreeFileSync, and MegaSync to package and extract stolen data. Unusually, just days after deploying the ransomware, they installed a persistent backdoor—suggesting a long-term presence rather than the typical smash-and-grab approach. The attackers maintained access to the system for at least a week, indicating that surveillance or data theft may have been their true objective, with the ransomware merely serving as a diversion.
Meanwhile, LockBit—one of the oldest and most prolific players in the Ransomware-as-a-Service (RaaS) ecosystem—continues to escalate its operations. Despite a series of setbacks, the group reportedly earned approximately $2.3 million over the past six months. Of particular note is a recent leak of its administrative panel, revealing targeted nations including China, Taiwan, Brazil, and Turkey.
A study by Trellix, based on the leaked data, identified key actors behind the attacks—most notably individuals operating under the aliases Iofikdis, PiotrBond, and JamesCraig. China’s prominent appearance on their target list is striking, given that most major ransomware groups, like Conti or Black Basta, typically avoid attacking Chinese entities to sidestep geopolitical consequences.
LockBit appears unburdened by such concerns, deliberately targeting industrial and manufacturing firms within China, undeterred by potential diplomatic fallout.
In the wake of the panel data leak, LockBit even offered a bounty for information on a hacker known as “xoxo from Prague,” allegedly responsible for the breach. Meanwhile, former members of the rival RansomHub group—dissolved unexpectedly in March 2025—have joined LockBit’s ranks. Figures like BaleyBeach and GuillaumeAtkinson have helped relaunch LockBit’s operations and accelerate the development of its latest version, LockBit 5.0.
This entire narrative serves as a sobering reminder: behind the media spectacle of ransom demands and splashy headlines lies a far darker and more intricate reality. The ransomware ecosystem has evolved into a complex, competitive black market—marked by talent migration, strategic adaptation, and relentless innovation.
Buy Me a Coffee
Donate