Crazy Ransomware Gang Abuses Employee Monitoring and Remote Support Tools

Timeline

1. 11.02.2026 21:29 1 articles · 7h ago

   Crazy Ransomware Gang Abuses Employee Monitoring and Remote Support Tools

   The Crazy ransomware gang has been observed abusing legitimate employee monitoring software (Net Monitor for Employees Professional) and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. The attackers used these tools to gain full interactive access to compromised systems, transfer files, execute commands, and monitor system activity in real time. They also attempted to disable Windows Defender and set up monitoring rules to detect cryptocurrency-related activities and remote access tools. The use of multiple remote access tools provided redundancy for the attackers, ensuring they retained access even if one tool was discovered or removed. The breaches were enabled through compromised SSL VPN credentials, highlighting the need for organizations to enforce MFA on all remote access services.

   Show sources

   • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

   Open in new tab

Information Snippets

• Attackers deployed Net Monitor for Employees Professional and SimpleHelp remote access client to maintain persistence and evade detection.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• The monitoring software allowed attackers to remotely view desktops, transfer files, and execute commands.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• Attackers attempted to enable the local administrator account using the command 'net user administrator /active:yes'.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• The SimpleHelp binary was disguised using filenames related to OneDrive and Visual Studio.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• Attackers disabled Windows Defender by stopping and deleting associated services.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• Monitoring rules were set up to detect cryptocurrency-related activities and remote access tools.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• The same filename (vhost.exe) and overlapping C2 infrastructure were reused across incidents, suggesting a single operator or group.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29

• Breaches were enabled through compromised SSL VPN credentials.

  First reported: 11.02.2026 21:29
  1 source, 1 article
  Show sources

  • Crazy ransomware gang abuses employee monitoring tool in attacks — www.bleepingcomputer.com — 11.02.2026 21:29