Summary
The Cybersecurity and Infrastructure Safety Agency (CISA) publishes this advice in response to ransomware players by taking advantage of unrealized bodies of vulnerability in the surveillance and remote management of the invoicing of public services. This incident reflects a wider model of ransomware actors targeting organizations through unrealized versions of Simplehelp RMM since January 2025.
Simplehelp 5.5.7 and earlier versions contain several vulnerabilities, including CVE-2024-57727a vulnerability of crossing of the path.1 Ransomware actors probably operated CVE-2024-57727 to access customers in a simple-cheer-cord RMM not corrected for the disruption of services in double extortion compromises.1
CISA added CVE-2024-57727 to its known catalog of exploited vulnerabilities (KEV) on February 13, 2025.
Cisa urges software suppliers, downstream customers and end users to be immediately implemented Attenuations Listed in this notice on the basis of a confirmed compromise or a risk of compromise.
Download the PDF version of this report:
Attenuations
CISA recommends that organizations implement the attenuations below to respond to the emerging activity of ransomware operating Simplehelp software. These attenuations are aligned with the performance objectives of transversal cybersecurity (CPG) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that Cisa and NIST recommend that all organizations are implementing. The CISA and the NIST have based CPGs on existing frameworks and advice of cybersecurity to protect themselves from threats, tactics, techniques and procedures most common and impactful. Visit the CISAS CPGS web page for more information on CPGs, including additional recommended basic protections. These attenuations apply to all critical infrastructure organizations.
Vulnerable third party sellers
If simplehelp is integrated or grouped into software belonging to suppliers or if a third -party service provider operates Simplehelp on a network of customers downstream, identify the Simplehelp Server version at the top of the file <file_path>/SimpleHelp/configuration/serverconfig.xml. If version 5.5.7 or previous has been found or used since January 2025, third -party suppliers should:
- Isolate the Simplehelp Server instance from the Internet or stop the server process.
- Immediately switch to the latest SimpleHelp version in accordance with a simplehelps safety vulnerability notice.2
- Contact your customers downstream to order them to take measures to secure their termination points and take threat hunting actions on their network.
Vulnerable customers downstream and end users
Determine whether the system runs an uncharted version of Simplehelp RMM directly or integrated into third -party software.
Singlehelp termination points
Determine whether a termination point performs the remote access service (RAS) by checking the following paths according to the specific environment:
- Windows:
%APPDATA%JWrapper-Remote Access - Linux:
/opt/JWrapper-Remote Access - MacOS:
/Library/Application Support/JWrapper-Remote Access
If the RAS installation is present and running, open the serviceconfig.xml deposit <file_path>/JWrapper-Remote Access/JWAppsSharedConfig/ To determine if the recorded service is vulnerable. The lines starting with <ConnectTo Indicate the addresses of the server where the service is recorded.
Singlehelp server
Determine the version of any Simplehelp server by performing an HTTP request against it. Add /allversions (For example, https://simple-help.com/allversions) To question the URL for the version page. This page lists the current version.
If a version 5.5.7 or unresalized unresalized anterior is confirmed on a system, organizations should carry out threat hunting actions for compromise evidence and continuously monitor the unusual traffic and outgoing of the Simplehelp server. Note: This is not an exhaustive list of compromise indicators.
- Refer to simple advice to determine the following compromises and steps.3
- Isolate the Simplehelp Server instance from the Internet or stop the server process.
- Look for suspect or abnormal executables with three names of alphabetical letters files (for example,
aaa.exe,,bbb.exeetc.) with an hour of creation after January 2025. In addition, carrying out safety analyzes of the vulnerability of the host and the network via digitization services renowned to verify that malware is not on the system. - Even if there is no proof of compromise, users must immediately go to the latest Simplehelp version in accordance with the Simplehelps Safety Vulnerabilities Council.4
If your organization is unable to identify immediately and correct vulnerable versions of Simplehelp, apply appropriate bypass solutions. In this case, CISA recommends using other attenuations provided by the supplier when available. These bypass solutions which should not be considered as permanent fixes and organizations must apply the appropriate fix as soon as it is made available.
Displaced encrypted customers and end users
If a system has been encrypted by ransomware:
- Disconnect the affected internet system.
- Use clean installation media (for example, a USD reader or a startable DVD) to reinstall the operating system. Make sure the installation medium is free from malware.
- Wipe the system and restore only the data from a clean backup. Make sure that data files are obtained from a protected environment to avoid reintroducing ransomware to the system.
CISA invites you to quickly report Ransomware incidents to a Local FBI field officeFbis Center in accordance with crime on the Internet (IC3)and cisa via cisas 24/7 operations center (report@cisa.gov or 888-282-0870).
Proactive attenuations to reduce the risk
To reduce the possibilities of intrusion and strengthen the response to the activity of ransomware, Cisa recommends to customers of suppliers and service providers (MSP) the following best:
- Maintain a list of robust stocks and equipment [CPG 1.A].
- Maintain a clean and offline backup of the system to make sure that encryption will not occur once coated. Make a backup of the daily system on a separate offline device, such as a flash drive or an external hard drive. Remove the computer from the computer once the backup finished [CPG 2.R].
- Do not expose the remote services such as the remote office protocol (RDP) on the web. If these services must be exposed, apply appropriate remuneration checks to prevent current forms of abuse and exploitation. Disable unnecessary OS apps and network protocols on internet oriented assets [CPG 2.W].
- Perform a risk analysis for RMM software on the network. If RMM is required, ask third -party suppliers which security checks are in place.
- Establish and maintain open communication channels with third -party suppliers to remain informed of their correction management process.
- For software providers, plan to integrate a software material bill (SBOM) into products to reduce the duration of vulnerability sanitation.
- An SBOM is a formal recording of the components used to create software. SBOMS improves risk management of the supply chain by identifying and quickly avoiding known vulnerabilities, identifying safety requirements and managing vulnerability attenuations. For more information, see the Cisas SBOM page.
Resources
Statement
Your organization has no obligation to respond or provide information to the FBI in response to this advice. If, after examining the information provided, your organization decides to provide information to the FBI, the declaration must comply with the applicable state and federal laws.
The FBI is interested in any information that can be shared, to include limit newspapers showing communication and from foreign IP addresses, an example of ransom note, communications with threat actors, Bitcoin wallet information, decryptor files and / or a benign sample of an encrypted file.
Additional details of interest include a point of contact of the targeted company, the state and scope of the infection, the estimated loss, the operational impact, the transaction identifiers, the date of infection, the date detected, the initial attack vector and the host -based indicators.
The CISA and the FBI do not encourage the payment of the ransom because the payment does not guarantee that the victims files will be recovered. In addition, payment can also encourage adversaries to target additional organizations, encourage other criminal players to engage in the distribution of ransomware and / or finance illicit activities. Whether you or your organization have decided to pay the ransom, the FBI and the CISA urge you to quickly report Ransomware incidents to the FBIS Center to complain of crime on the Internet (IC3)A Local FBI field officeor cisa via agencies Incident report system or its 24/7 operations center (report@cisa.gov) or by calling 1-844-Say-Cisa (1-844-729-2472).
Simplehelp users or sellers can contact support@simple-help.com to obtain help for requests or concerns.
Non-liability clause
The information of this report is provided for information only. The CISA does not approve of any commercial entity, product, company or service, including entities, products or services linked in this document. Any reference to specific commercial entities, products, processes or services by service brand, brand, manufacturer or other, does not imply approval, recommendation or favor by CISA.
History of versions
June 12, 2025: Initial version.
Notes
1 and 1 Anthony Bradshaw, and. Al., Dragonforce actors target Simplehelp vulnerabilities to attack MSP, customers, Sophos NewsMay 27, 2025, https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilitites-To-attack-msp-stuomers/.
2. For upgrade instructions to the latest version of Simplehelp, see Simplehelps Safety Vulnerability Consultative.
3 and 3 To determine the possibility of compromise and the next steps, see Simple advice.
4. For upgrade instructions to the latest version of Simplehelp, see Simplehelps Safety Vulnerability Consultative.
