Password Spray Attack on Exposed RDP Server Leads to RansomHub Ransomware Deployment
The DFIR Report details an intrusion that began with a password spray attack against an internet-facing RDP server, culminating in the deployment of RansomHub ransomware across the victim's network.
In a detailed intrusion report published by The DFIR Report, analysts have laid out the full attack chain of a ransomware incident that started in November 2024 with a simple but effective password spray attack against an internet-facing Remote Desktop Protocol (RDP) server. Over the course of approximately four hours, the threat actor attempted logins against multiple accounts using known malicious IP addresses. Hours later, they successfully authenticated via RDP with one of the compromised accounts, marking the initial foothold in the victim's environment.
Once inside, the attacker quickly moved to execute a flurry of discovery commands, using built-in net commands to enumerate users and computers. Credential access tools were deployed next: Mimikatz and Nirsoft CredentialsFileView were used to extract stored credentials and interact with LSASS memory. The attacker also downloaded Advanced IP Scanner via Microsoft Edge to map the network, and later used SoftPerfect NetScan for broader reconnaissance. These discovery efforts allowed the threat actor to identify domain controllers, backup servers, file servers, and hypervisors.
Lateral movement was achieved primarily through RDP connections. Within roughly two hours of the initial compromise, the attacker moved to two domain controllers, examined the DNS management console, and continued credential harvesting across multiple hosts. They targeted backup servers, file servers, hypervisors, and additional domain controllers, using Mimikatz to output CSV files named after child domains to confirm the presence of their pivot domain administrator account in various domains. On the second day, the attacker installed Atera, a legitimate remote management tool, on two backup servers to maintain persistent access.
The threat actor exfiltrated data using Rclone over SFTP on the third day. They configured Rclone with helper scripts to target specific file types including documents, spreadsheets, emails, and image files. The transfer occurred over port 443, but the traffic was identified as SFTP. On the fifth day, the attacker returned via Splashtop, another remote access tool, performed another network sweep with Netscan, and reset several user passwords on domain controllers. A little over an hour later, on the sixth day of the intrusion, they prepared for ransomware deployment.
The ransomware binary, named amd64.exe, was dropped and executed on a server. This triggered a chain reaction where the local host was encrypted while the ransomware spread over SMB to remote hosts, executing via remote services. Once running, the ransomware killed running virtual machines, set up permissive symlinks, deleted shadow copies, and cleared event logs. Files were encrypted, and a ransom note linking to the RansomHub group was dropped. The total Time to Ransomware (TTR) was approximately 118 hours over six calendar days.
This incident highlights the continued risk posed by exposed RDP services and the efficiency of password spray attacks as an initial access vector. The use of living-off-the-land binaries (LOLBins) for discovery, legitimate remote tools for persistence, and Rclone for exfiltration demonstrates a mature and methodical threat actor. The DFIR Report's analysis provides a full timeline, indicators of compromise, and MITRE ATT&CK mapping, emphasizing the importance of securing RDP, deploying robust credential hygiene, and monitoring for anomalous behavior across the kill chain.