The Reveal Platform
Intel Name: How rmm abuse fuelled medusa & dragonforce attacks
Date of Scan: November 12, 2025
Impact: High
Summary: In early 2025, researchers identified a surge of ransomware attacks abusing the SimpleHelp Remote Monitoring and Management (RMM) platform, widely used by MSPs and software vendors. Threat groups such as Medusa and DragonForce exploited three vulnerabilities — CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 — to infiltrate downstream customer networks. By compromising RMM servers running with SYSTEM privileges, attackers gained full administrative control. They then executed network discovery, disabled security tools, and exfiltrated data using RClone and Restic. Finally, they encrypted victim systems, completing a coordinated ransomware campaign.
