Threat Report

HIDE YOUR RDP: PASSWORD SPRAY LEADS TO RANSOMHUB DEPLOYMENT A detailed analysis of a sophisticated cyber intrusion involving password spraying and ransomware deployment.

Threat Overview

The threat report published by AlienVault on June 30, 2025, details an intricate cyber intrusion that began in November 2024. This attack targeted an internet-facing RDP server using a password spray technique. The threat actor employed known malicious IPs to attempt multiple logins against various accounts over several hours. Once successful, they logged into the compromised user’s account via RDP and executed discovery commands such as net commands to enumerate users and computers within the network.

The attackers utilized credential access tools like Mimikatz and Nirsoft CredentialsFileView to extract stored credentials and interact with LSASS memory. This allowed them to move laterally across the network, accessing domain controllers and other critical servers. They conducted extensive reconnaissance using tools like Advanced IP Scanner and SoftPerfect NetScan for broader network mapping.

The intrusion spanned six days, during which the threat actor exfiltrated sensitive files using Rclone over SFTP on port 443. On the final day, they deployed ransomware named amd64.exe, encrypting files on local hosts and spreading to remote hosts via SMB. The ransomware also attempted to kill running virtual machines, delete shadow copies, clear event logs, and drop a ransom note linking to the RansomHub group.

Detailed Analysis

The intrusion began with a password spray attack targeting an internet-facing RDP server. This method allows attackers to avoid triggering account lockout policies by attempting logins against multiple accounts over a prolonged period. The use of known malicious IPs, identified through OSINT, indicates that the threat actor had prior knowledge or access to these IP addresses.

Once inside the network, the threat actor executed several discovery commands to understand the environment better. They used Mimikatz and Nirsoft CredentialsFileView to harvest credentials, which facilitated lateral movement across the network. The attackers accessed domain controllers and other critical servers, using Windows Administrative Tools via the GUI to examine DNS management consoles.

The threat actor employed Advanced IP Scanner and SoftPerfect NetScan for comprehensive network mapping. This allowed them to identify additional targets within the environment, including backup servers, file servers, hypervisors, and more domain controllers. They used Mimikatz extensively across these hosts, outputting CSV files named after child domains to confirm their pivot domain administrator account’s presence.

On the second day, the attackers returned to the beachhead host and reran network scanning tools. They installed Atera on two backup servers, likely to maintain persistent remote access through legitimate administrative channels. On the third day, they used Rclone to exfiltrate files over SFTP, transferring documents, spreadsheets, emails, and image files.

The fifth day saw the threat actor return via Splashtop installed on a backup server. They performed another network sweep using Netscan and connected to several hosts, including domain controllers, where they reset user passwords. On the sixth day, they prepared for ransomware deployment by dropping the amd64.exe binary and executing it. This initiated a chain reaction where files were encrypted locally and remotely via SMB.

The ransomware attempted to kill running virtual machines, set up permissive symlinks, delete shadow copies, clear event logs, and drop a ransom note linking to RansomHub. The Time to Ransomware (TTR) for this intrusion was approximately 118 hours over six calendar days.

Operational Security Measures

The threat actor demonstrated sophisticated operational security measures throughout the intrusion. They used legitimate administrative tools and techniques to blend in with normal network activity, making detection more challenging. The use of known malicious IPs and credential harvesting tools like Mimikatz indicates a high level of sophistication.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by similar cyber intrusions:

• Network Segmentation: Implement network segmentation to limit lateral movement within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between them.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help address known vulnerabilities that can be exploited by attackers.
• Intrusion Detection Systems (IDS): Deploy IDS to monitor network traffic for signs of malicious activity. IDS can help detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help prevent initial infections and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to sophisticated cyber intrusions like the one detailed in this report.