Quick Takeaways
- In 2025, UK organizations faced sophisticated ransomware attacks exploiting three CVEs in the SimpleHelp RMM platform, primarily targeting supply chain vulnerabilities through MSPs.
- Ransomware groups Medusa and DragonForce used advanced tactics (double extortion, data exfiltration, security disabling) and targeted third-party vendor infrastructure to bypass security defenses.
- Attackers employed complex techniques such as disabling Microsoft Defender, creating admin accounts, and stealing backup credentials, making detection and recovery more difficult.
- These campaigns highlight a troubling shift towards supply chain compromise, with threat actors leveraging trusted vendor relationships to gain extensive network control easily.
Key Challenge
In 2025, a new wave of highly sophisticated ransomware assaults targeting UK organizations emerged, primarily exploiting vulnerabilities in the widely used SimpleHelp Remote Monitoring and Management (RMM) platform. The attacks, carried out by advanced groups Medusa and DragonForce, capitalized on unpatched flaws (CVE-2024-57726, -57727, and -57728), allowing them to infiltrate through trusted third-party vendors and Managed Service Providers (MSPs). These threat actors employed a supply chain approach rather than direct attacks, gaining control over their victims’ entire networks by leveraging compromised RMM infrastructure—and doing so with exceptional technical precision. They used a combination of automated tools and manual techniques to disable security defenses like Microsoft Defender, manipulate backup systems, and exfiltrate sensitive data before encrypting systems—often leaving behind distinctive file extensions and ransom notes. The dual tactics of encryption and data theft left organizations battling operational shutdowns, data leaks on dark web sites, and complex dilemmas over paying ransoms or disclosing breaches, all underscored by ongoing investigative reports from Zensec security researchers.
The attacks specifically targeted organizations across the UK, with Medusa initiating its campaigns in the first quarter of 2025 and DragonForce following in the second, both exploiting vulnerabilities in the same RMM infrastructure. The groups displayed a high level of operational sophistication: Medusa used tools like PDQ Deploy and custom drivers to disable antivirus protections, while DragonForce established remote access via tools like AnyDesk and exploited backup credentials to access critical recovery data. Their methods of data exfiltration included techniques such as renaming tools to evade detection (RClone to “lsp.exe” and Restic for cloud uploads). The reports, from Zensec, highlight the increasing danger posed by these threat groups, illustrating how they manipulate supply chain vulnerabilities to bypass traditional defenses, with severe consequences for affected organizations.
Risks Involved
Your business faces a significant threat when cybercriminals exploit Remote Monitoring and Management (RMM) tools—used legitimately by IT teams for efficient network oversight—to deploy deadly ransomware strains like Medusa and DragonForce. These malicious actors often infiltrate systems through compromised RMM access, enabling them to spread rapidly across the network, encrypt critical data, and hold your operations hostage. If successful, this attack can cripple your business, halting productivity, causing financial loss, damaging your reputation, and risking data breaches that compromise sensitive customer and company information. In today’s digital landscape, trusting your RMM environment without stringent security measures leaves your enterprise vulnerable to sophisticated, high-impact ransomware assaults that can threaten your very continuity.
Possible Next Steps
In the rapidly evolving landscape of cybersecurity threats, swift and effective remediation is crucial to prevent malicious actors from exploiting vulnerabilities, especially when they leverage remote management and monitoring (RMM) tools to deploy destructive ransomware like Medusa and DragonForce. Prompt action minimizes damage, reduces recovery costs, and maintains organizational resilience.
Mitigation Strategies
- Access Control: Limit RMM tool permissions, enforce least privilege, and implement multi-factor authentication to restrict unauthorized access.
- Vulnerability Management: Conduct regular patching and updates of RMM software and related systems to close security gaps.
- Monitoring & Detection: Deploy advanced monitoring tools to identify suspicious activity associated with RMM tools and ransomware deployment attempts.
- Incident Response: Develop and rehearse a comprehensive incident response plan, emphasizing rapid isolation and eradication of threats.
- User Training: Educate staff about social engineering tactics and secure RMM usage protocols to prevent credential compromise.
- Backup & Recovery: Maintain secure, frequent backups of critical data and ensure tested recovery procedures are in place for quick restoration.
- Network Segmentation: Isolate RMM infrastructure and sensitive networks to limit movement of threat actors within the environment.
- Vendor Security: Require security assessments and strong contractual obligations from RMM vendors to ensure their practices mitigate risks.
- Threat Intelligence Integration: Regularly incorporate threat intelligence feeds to stay informed about Medusa, DragonForce, and similar ransomware tactics.
- Continuous Improvement: Review and update security policies and controls routinely to adapt to emerging threats and vulnerabilities.
Explore More Security Insights
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
