Skip to main content

Hide Your RDP: Password Spray Leads to RansomHub Deployment

Medium
Published: Mon Jun 30 2025 (06/30/2025, 18:49:24 UTC)
Source: AlienVault OTX General

Description

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for data exfiltration via SFTP and deployed RansomHub ransomware across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, lateral movement, credential theft, data exfiltration, and ransomware deployment, demonstrating a sophisticated and multi-staged attack methodology.

AI-Powered Analysis

AILast updated: 07/01/2025, 08:24:34 UTC

Technical Analysis

This threat report describes a sophisticated multi-stage cyberattack leveraging exposed Remote Desktop Protocol (RDP) servers as the initial attack vector. The attackers employed a password spray technique to gain unauthorized access to vulnerable RDP endpoints. Password spraying involves systematically attempting commonly used passwords across many accounts to avoid account lockouts and detection. Once initial access was achieved, the adversaries used credential harvesting tools such as Mimikatz and Nirsoft utilities to extract plaintext credentials and hashes from compromised systems. This credential theft facilitated lateral movement within the network, allowing the attackers to escalate privileges and expand their foothold. The attackers utilized living-off-the-land (LotL) techniques, leveraging legitimate system tools and utilities to avoid detection. For network discovery, they used Advanced IP Scanner, enabling them to map the internal network and identify additional targets. Data exfiltration was conducted using Rclone, a legitimate cloud storage synchronization tool, configured to transfer stolen data via SFTP to attacker-controlled infrastructure. The final stage involved deploying RansomHub ransomware across the network, using SMB and remote services to propagate and encrypt files on multiple systems. The entire intrusion persisted for six days, culminating in widespread encryption of organizational data and ransom demands. This attack chain highlights the threat actor’s operational sophistication, combining brute-force initial access, credential theft, stealthy lateral movement, data exfiltration, and ransomware deployment. The use of common administrative tools and legitimate software complicates detection and response efforts. The absence of a CVSS score notwithstanding, the attack demonstrates significant risk due to its multi-vector approach and potential for severe operational disruption.

Potential Impact

For European organizations, this threat poses substantial risks to confidentiality, integrity, and availability of critical data and systems. The initial compromise via exposed RDP servers is a common vulnerability in many enterprises, particularly those with remote work infrastructures. Successful exploitation can lead to widespread credential compromise, enabling attackers to move laterally and escalate privileges, thereby undermining network security comprehensively. Data exfiltration risks the exposure of sensitive personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. The deployment of RansomHub ransomware can cause significant operational downtime, financial losses due to ransom payments or recovery costs, and disruption of essential services. Given the attack duration of six days, organizations may experience prolonged exposure and damage before detection and remediation. The use of living-off-the-land techniques and legitimate tools increases the likelihood of evading traditional security controls, complicating incident response. European organizations with insufficiently hardened RDP configurations, weak password policies, or inadequate network segmentation are particularly vulnerable. The threat also underscores the importance of monitoring for anomalous use of administrative tools and network scanning activities.

Mitigation Recommendations

1. Restrict RDP exposure: Disable direct internet-facing RDP access. Use VPNs or secure gateways with multi-factor authentication (MFA) to access RDP services. 2. Enforce strong password policies and account lockout thresholds to mitigate password spray attacks. Implement MFA on all remote access points. 3. Monitor and restrict use of credential dumping tools like Mimikatz by applying application whitelisting and endpoint detection and response (EDR) solutions capable of detecting such behaviors. 4. Employ network segmentation to limit lateral movement opportunities. Critical systems should be isolated with strict access controls. 5. Monitor network traffic for unusual scanning activity (e.g., Advanced IP Scanner) and data exfiltration attempts, especially via uncommon protocols or tools like Rclone. 6. Implement robust logging and continuous monitoring to detect living-off-the-land techniques and anomalous administrative tool usage. 7. Regularly update and patch systems to reduce vulnerabilities that could be exploited during lateral movement. 8. Conduct regular security awareness training focusing on credential security and recognizing signs of compromise. 9. Prepare and test incident response and ransomware recovery plans, including offline backups to ensure data restoration without paying ransom. 10. Use threat intelligence feeds to update detection rules with indicators of compromise (IOCs) such as the hashes and IP addresses provided in the report.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/"]
Adversary
RansomHub
Pulse Id
6862dc349ae605bef0998ced
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip185.190.24.33
ip185.190.24.54
ip5.181.86.158
ip164.138.90.2

Hash

ValueDescriptionCopy
hash1cc1534b70b8d2b99b69a721c83e586a
hash6f3a658fc32b4a378716ac167ebaf5ac
hash8e0b1f8390acb832dbf3abadeb7e5fd3
hasha768244ca664349a6d1af84a712083c0
hasheba5bfca73c2754fbf93ed64fa224132
hash02e6ff95949fdf341daee846820d40289ab65985
hash19138d3c197ee1e59756d1f4fc3fd66809f44c1b
hash39300863bcaad71e5d4efc9a1cae118440aa778f
hash6ac2d77631f775797cd0029e199a5dfe83f47b4c
hashb746c91e014205db94f775bb6db480387c9ebc20
hash25117dcb2d852df15fe44c5757147e7038f289e6156b0f6ab86d02c0e97328cb
hash4775dfb24f85f5d776f538018a98cc6a9853a1840f5c00b7d0c54695f03a11d9
hashe14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c
hashec45ebd938e363e36cacb42e968a960fbe4e21ced511f0ea2c0790b743ff3c67
hashffd09a5c27938d1f7424ed66d1474cfeb3df72daabdf10e09f161ed1ffd21271

Threat ID: 686397b46f40f0eb728e9e67

Added to database: 7/1/2025, 8:09:24 AM

Last enriched: 7/1/2025, 8:24:34 AM

Last updated: 7/15/2025, 11:04:30 PM

Views: 42

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats