The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning organizations about ongoing ransomware attacks exploiting unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software. The attacks specifically target utility billing software providers and their downstream customers through a critical path traversal vulnerability.
Ransomware actors have been actively exploiting CVE-2024-57727, a path traversal vulnerability found in SimpleHelp versions 5.5.7 and earlier. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2025, highlighting its severity and active exploitation. The advisory notes that "this incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025."
The attacks follow a double extortion model, where criminals not only encrypt victim data but also threaten to release stolen information publicly, maximizing pressure on organizations to pay ransoms.
CISA recommends that organizations immediately isolate vulnerable SimpleHelp server instances from the internet or stop the server process entirely. Organizations should upgrade to the latest SimpleHelp version following the vendor's security advisory and conduct thorough threat hunting activities to identify potential compromises.
For systems already encrypted by ransomware, CISA advises disconnecting affected systems from the internet, using clean installation media to reinstall operating systems, and restoring data only from verified clean backups.
Organizations using RMM solutions should conduct comprehensive risk analyses and implement proper asset management practices as outlined in CISA's Cross-Sector Cybersecurity Performance Goals.
CISA emphasizes that organizations should report ransomware incidents promptly to local FBI Field Offices and CISA's 24/7 Operations Center, while strongly advising against paying ransoms, as payment neither guarantees file recovery nor prevents future attacks.