A recent incident response investigation from THE DFIR report has revealed the sophisticated tactics employed by RansomHub ransomware operators in a coordinated attack campaign that compromised an entire corporate network through an exposed Remote Desktop Protocol (RDP) server.
The attack, which occurred in November 2024, demonstrates the evolving threat landscape facing organizations with remote access infrastructure.
Summary
1. Attackers gained access via a password spray on an exposed RDP server, using malicious IPs to compromise six accounts and escalate to admin privileges.
2. Credential harvesting was performed with Mimikatz and Nirsoft, while network mapping used Advanced IP Scanner and NetScan; lateral movement occurred via RDP to key servers.
3. Persistence was established by installing Atera and Splashtop remote management tools on backup servers, and user passwords were changed to aid the attack.
4. Data exfiltration occurred on day three, with over 2GB of sensitive files stolen using Rclone and custom scripts over SFTP.
5. Ransomware deployment began on day six: RansomHub (amd64.exe) spread via SMB and remote services, encrypted files, deleted backups, and cleared logs.
6. The entire operation lasted about 118 hours, blending stealth, automation, and aggressive lateral movement for maximum impact.The intrusion began with a systematic password spray attack targeting an internet-facing RDP server over a four-hour period.
Threat actors operating from IP addresses 185.190.24[.]54 and 185.190.24[.]33 successfully compromised six user accounts, with open-source intelligence confirming these addresses had a prior history of malicious activities targeting administrative interfaces and firewalls.
The attackers demonstrated patience and persistence, waiting several hours after successful authentication before beginning their reconnaissance phase. This “low-and-slow” approach helped evade detection systems designed to identify rapid-fire brute force attacks.
Advanced Credential Harvesting Operations
Once inside the network, the attackers deployed sophisticated credential harvesting tools, primarily Mimikatz and Nirsoft’s CredentialsFileView.
Security researchers noted the attackers’ methodical approach to credential extraction, targeting the Local Security Authority Subsystem Service (LSASS) memory to dump credentials directly from system processes.
The threat actors used Mimikatz commands like ‘sekurlsa::logonpasswords’ and ‘lsadump::dcsync’ to extract domain administrator credentials across multiple child domains.
The attackers generated CSV output files corresponding to each domain, suggesting they were systematically verifying administrative access across the entire corporate infrastructure, reads the report.
The RansomHub operators combined traditional “living-off-the-land” techniques with commercial network scanning tools for comprehensive network discovery. They leveraged built-in Windows commands, including net, nslookup, nltest, ipconfig, and ping, to enumerate users, groups, domain trusts, and network topology.
Additionally, the attackers downloaded and deployed Advanced IP Scanner and SoftPerfect’s NetScan tools for more extensive network reconnaissance.
These legitimate network administration tools allowed the threat actors to identify active systems, open ports, and potential lateral movement targets across the compromised environment.
On the third day of the intrusion, attackers deployed Rclone, a legitimate cloud synchronization tool, to exfiltrate sensitive data via SFTP over port 443.
The data theft operation was highly targeted, focusing on documents, spreadsheets, emails, and image files totaling 2.03 gigabytes of corporate data transferred over a 40-minute window.
The use of Rclone demonstrates the trend among ransomware groups toward “double extortion” tactics, where stolen data serves as additional leverage for ransom demands beyond simple file encryption.
Ransomware Deployment and Network Propagation
The attack culminated on day six with the deployment of the RansomHub ransomware payload, distributed as “amd64.exe”. The malware demonstrated sophisticated propagation capabilities, using Server Message Block (SMB) protocol to transfer copies of itself to remote hosts and execute via Windows remote services.
Prior to encryption, the ransomware performed defensive actions, including shutting down virtual machines, deleting volume shadow copies, and clearing Windows event logs to hinder recovery efforts and forensic analysis.
The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency have identified RansomHub as one of the most active ransomware groups of 2024, with over 210 confirmed victims across critical infrastructure sectors. The group emerged in February 2024 and quickly gained notoriety following the disruption of LockBit operations.
Organizations are advised to implement multi-factor authentication for RDP access, restrict remote desktop exposure, and deploy advanced endpoint detection capabilities to identify credential harvesting activities.
The 118-hour attack timeline underscores the importance of rapid threat detection and response capabilities in modern cybersecurity defense strategies.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
