A forensic analysis by The DFIR Report has uncovered the advanced tactics used by the RansomHub ransomware group in a strategic cyberattack that compromised a corporate environment through a vulnerable Remote Desktop Protocol (RDP) server.
The breach, which occurred in November 2024, highlights the increasing sophistication of ransomware groups targeting remote infrastructure.
Attack Chain Summary:
- Initial Access:
Threat actors launched a password spray attack on an exposed RDP server, compromising six user accounts and escalating privileges through malicious IPs linked to previous threats. - Credential Theft:
Tools like Mimikatz and Nirsoft’s CredentialsFileView were used to dump LSASS memory and harvest credentials, including domain admin accounts across multiple child domains. - Network Discovery:
A blend of built-in Windows utilities (net,ping,ipconfig) and third-party tools like Advanced IP Scanner and SoftPerfect NetScan enabled comprehensive mapping of the network for lateral movement. - Persistence and Control:
Remote management software (Atera, Splashtop) was installed, and password changes implemented to maintain access. - Data Exfiltration:
Over 2GB of sensitive files were stolen via Rclone using SFTP over port 443, as part of a calculated “double extortion” strategy. - Payload Deployment:
On Day 6, RansomHub ransomware (amd64.exe) was pushed via SMB and remote services, encrypting data, deleting backups, shutting down VMs, and erasing event logs.
The entire operation spanned 118 hours, marked by stealthy lateral movement, careful timing, and automated escalation techniques.
Malicious IP Activity
The attackers operated from known IP addresses 185.190.24[.]54 and 185.190.24[.]33, which OSINT sources had already flagged for targeting enterprise firewall and admin interfaces.
Tactical Execution
The attackers adopted a “low and slow” strategy—pausing after initial access before launching their reconnaissance phase—to bypass common brute-force detection mechanisms.
Authorities Respond
U.S. cyber agencies including the FBI and CISA have flagged RansomHub as one of the most prolific ransomware groups of 2024, with more than 210 confirmed victims, especially within critical infrastructure sectors.
Cybersecurity Recommendations:
- Enforce Multi-Factor Authentication (MFA) on all remote services.
- Avoid exposing RDP directly to the internet.
- Use EDR/XDR tools to detect credential theft and unusual admin behavior early.
- Regularly audit remote access tools and user permissions.
