Ransomware scum disrupted utility services with SimpleHelp attacks

Ransomware criminals infected a utility billing software providers' customers, and in some cases disrupted services, after exploiting unpatched versions of SimpleHelp’s remote monitoring and management (RMM) tool, according to a Thursday CISA alert.

"This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025," the security advisory warned. "Ransomware actors likely exploited CVE-2024-57727 to access downstream customers' unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents."

CVE-2024-57727 is a high-severity path traversal vulnerability that affects SimpleHelp 5.5.7 and prior versions. The vendor fixed the hole in January, but ransomware crews reportedly exploited unpatched versions.

The cyber-defense agency's warning follows a similar advisory from the feds, issued last week, about Play ransomware gang members exploiting the same SimpleHelp security flaw in double-extortion attacks. Those incidents see criminals first steal sensitive data, then encrypt victims' files, before ...