Cybercriminals Exploit RMM Tools to Deploy Medusa and DragonForce Ransomware
In 2025, a series of sophisticated ransomware attacks targeted UK organizations, exploiting vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) platform. Notably, the Medusa and DragonForce ransomware groups leveraged critical vulnerabilities—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—to gain unauthorized access through trusted third-party vendors and Managed Service Providers (MSPs).
This shift in ransomware tactics involves compromising supplier-controlled RMM infrastructure rather than directly attacking victim organizations. By exploiting unpatched SimpleHelp instances operating with SYSTEM-level privileges, attackers achieved extensive control over downstream customer networks with minimal resistance. This supply chain approach enables adversaries to bypass traditional perimeter defenses by exploiting the inherent trust between organizations and their service providers.
Security researchers at Zensec identified these coordinated campaigns after investigating multiple intrusions during the first and second quarters of 2025. The Medusa ransomware group initiated attacks in Q1 2025, deploying malicious payloads through compromised MSP environments. Following a similar strategy, DragonForce launched attacks in Q2 2025, targeting organizations via the same vulnerable RMM infrastructure.
Both groups demonstrated advanced operational capabilities, combining automated deployment tools with hands-on techniques to maximize impact. The financial and operational consequences for affected organizations have been severe. Beyond system encryption, both groups engaged in double extortion tactics, exfiltrating sensitive corporate data before deploying ransomware. Victims faced not only the immediate disruption of encrypted systems but also the threat of data exposure on dark web leak sites, compelling organizations to navigate complex decisions regarding ransom payments and public disclosure.
Attack Execution and Defense Evasion Techniques
Once inside victim networks through the compromised SimpleHelp platform, both ransomware groups deployed sophisticated toolsets to disable security protections and establish persistence.
The Medusa group utilized PDQ Deploy to push PowerShell commands that systematically dismantled Microsoft Defender protections across the environment. The attackers executed base64-encoded commands to add exclusion paths and disable real-time monitoring:
“`
Add-MpPreference -ExclusionPath C:\
Set-MpPreference -MAPSReporting Disable
Set-MpPreference -DisableRealtimeMonitoring $true
“`
The encoded PowerShell payload delivered through PDQ Deploy, while the decoded version reveals the defense-disabling commands. Additionally, the Medusa group deployed their ransomware payload, identified as Gaze.exe, alongside specialized drivers including Smuot.sys and CSAgent.sys to further inhibit antivirus products. Researchers have linked these drivers to the Abyssworker toolkit, a known security evasion framework.
DragonForce operators took a different approach, creating local administrator accounts named admin and installing AnyDesk for persistent remote access. They also targeted Veeam backup servers using the Get-Veeam-Creds.ps1 script to extract plaintext credentials from SQL password stores, effectively compromising backup recovery capabilities.
Data exfiltration methods varied between the groups. Medusa utilized RClone, cleverly renamed to blend in with legitimate processes, to transfer stolen data to attacker-controlled cloud storage. DragonForce employed similar tactics, using renamed versions of WinSCP to exfiltrate data.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following strategies:
1. Regularly Update and Patch Systems: Ensure that all software, especially RMM tools like SimpleHelp, are updated to the latest versions to mitigate known vulnerabilities.
2. Monitor RMM Tool Usage: Keep a close watch on the deployment and use of RMM tools within the network. Unauthorized installations or unusual activities should be investigated promptly.
3. Implement Multi-Factor Authentication (MFA): Enforce MFA across all remote access solutions to add an extra layer of security against unauthorized access.
4. Conduct Regular Security Audits: Perform comprehensive security assessments to identify and remediate potential vulnerabilities within the network infrastructure.
5. Educate Employees: Provide ongoing cybersecurity training to employees to recognize phishing attempts and other social engineering tactics used by attackers.
6. Develop an Incident Response Plan: Establish and regularly update an incident response plan to ensure a swift and effective response to security breaches.
By adopting these proactive measures, organizations can enhance their resilience against ransomware attacks and protect their critical assets from compromise.
