Threat Report

HIDE YOUR RDP: PASSWORD SPRAY LEADS TO RANSOMHUB DEPLOYMENT A detailed analysis of a sophisticated intrusion campaign targeting internet-facing RDP servers.

Threat Overview

The threat report titled ‘Hide Your RDP: Password Spray Leads to RansomHub Deployment,’ published by AlienVault on June 30, 2025, details an intricate intrusion campaign that began in November 2024. This campaign targeted internet-facing Remote Desktop Protocol (RDP) servers using a password spray attack. The threat actor utilized known malicious IPs to attempt logins against multiple accounts over several hours. Once successful, they gained access via RDP and executed various discovery commands to enumerate users and computers within the network.

The intrusion involved the use of credential access tools such as Mimikatz and Nirsoft CredentialsFileView to extract stored credentials and interact with LSASS memory. The threat actor moved laterally to domain controllers and other critical servers, conducting reconnaissance and harvesting credentials throughout the environment. Advanced IP Scanner was used for network mapping, and Rclone was employed to exfiltrate sensitive files over SFTP.

The campaign culminated in the deployment of ransomware, specifically associated with the RansomHub group. The ransomware encrypted files on local hosts and remote servers via SMB, killed running virtual machines, deleted shadow copies, cleared event logs, and dropped a ransom note. The Time to Ransomware (TTR) for this intrusion was approximately 118 hours over six calendar days.

Detailed Analysis

The intrusion began with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs. Several hours later, they successfully logged in via RDP with one of the compromised users and ran a series of discovery commands, including various net commands to enumerate users and computers.

Credential access tools, specifically Mimikatz and Nirsoft CredentialsFileView, were used to extract stored credentials and interact with LSASS memory. Approximately two hours after initially authenticating to the beachhead host, the threat actor used RDP to move laterally to two domain controllers. Once on the domain controllers, they accessed the Windows Administrative Tools via the graphical user interface (GUI) to examine the DNS management console.

Simultaneously, the threat actor continued to access additional servers and endpoints, conducting similar activities, namely reconnaissance via net commands and credential harvesting using Mimikatz throughout the environment. During this same time frame, Advanced IP Scanner was downloaded via the Microsoft Edge browser, and a network scan was initiated from the beachhead host.

The threat actor then continued lateral movement to additional hosts targeting backup servers, file servers, hypervisors, and more domain controllers. They utilized Mimikatz across several of these hosts outputting CSV files named for the child domains the hosts belonged to. Based on the logs we assess this activity was likely to confirm their pivot domain administrator account was present in the various domains.

The threat actor concluded their operations for the day by viewing documents on various file shares after successfully gaining access to several high-value servers within the environment via RDP using their high-privileged account.

On the second day, they returned to the beachhead and reran Advanced IP Scanner and also SoftPerfect NetScan for broader network mapping. Later, Atera was installed via RDP on two backup servers, likely to maintain persistent remote access through legitimate administrative channels. The threat actor continued with another round of discovery.

On the start of the third day they employed Rclone to exfiltrate files over SFTP. The Rclone setup used helper scripts and was configured to include specific file types, such as documents, spreadsheets, emails, and image files. The transfer occurred over port 443, but the traffic was confirmed to be SFTP.

On the fifth day the threat actor returned via Splashtop installed on one of the backup servers. From there they performed another network sweep using Netscan. They then used RDP to connect to several hosts including domain controllers where several user passwords were reset. A little over an hour after becoming active again, now on the sixth day of the intrusion, the threat actor connected to a new server, ran another round of Netscan and then prepared for their ransomware deployment.

They dropped the binary named amd64.exe and executed it on the host. This started a chain where files on the local host were encrypted but it also reached out to remote hosts to transfer a copy of the ransomware over SMB and then execute that file on the hosts using a remote service.

Once ran, the ransomware tried to kill any running virtual machines, setup permissive symlinks, delete shadow copies, and clear event logs. Following this, files were encrypted and a note linking the ransom to the RansomHub group was dropped.

Operational Security Measures

The threat actor employed several operational security measures to evade detection, including the use of legitimate administrative tools for reconnaissance and credential harvesting. The exfiltration of data via SFTP over port 443 made it difficult to detect the malicious traffic amidst regular HTTPS traffic.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by this intrusion campaign:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help to address known vulnerabilities that can be exploited by malware like SHOE RACK.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to this sophisticated intrusion campaign and other similar threats.