Ransomware Gangs Exploit Unpatched SimpleHelp RMM Instances

On June 20, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that ransomware actors are targeting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) to compromise clients of an unnamed utility billing software provider. This attack is part of a broader pattern where ransomware targets organizations through unpatched versions of SimpleHelp. The impacts include attempts at double extortion, where attackers encrypt data and threaten to disclose it if a ransom is not paid.