RansomHub Breach: Six-Day Attack Leveraged RDP, RMM Tools & Mimikatz for Data Exfiltration & Ransomware

The DFIR Report’s latest case study exposes the meticulous six-day operation of a threat actor who leveraged Remote Desktop Protocol (RDP) misconfigurations, password spraying, and legitimate tools to breach an enterprise network and deploy RansomHub ransomware.

The attack began in November 2024, with the adversary conducting password spray attempts on an internet-facing RDP server. As the report notes:

“The activity spanned approximately four hours and originated from two IP addresses under one ISP: 185.190.24.54 and 185.190.24.33.”

Shortly after, the attacker successfully authenticated using a compromised account with elevated privileges and began reconnaissance using net and ipconfig, preparing the ground for lateral movement.

After compromising the Initial Access User, the attacker moved laterally across the network. Discovery tools like Advanced IP Scanner and SoftPerfect NetScan were deployed. Notably:

“The threat actor also deployed Atera and Splashtop RMM tools on several hosts… enabling persistent remote access through legitimate administrative channels.”

They used Mimikatz and CredentialsFileView to dump credentials from LSASS, storing results in CSVs named after internal child domains.

On the third day, data exfiltration began using Rclone, hidden under a nocmd.vbs wrapper script:

“The Rclone setup used helper scripts and was configured to include specific file types, such as documents, spreadsheets, emails, and image files.”

Outbound SFTP traffic over port 443 was observed, disguising exfiltration under HTTPS activity. Logs revealed approximately 2.03 GB of data was stolen.

By day six, the attacker had laid enough groundwork for the final blow. They dropped and executed the ransomware binary named amd64.exe, propagating across systems via SMB and remote service creation:

“Once ran, the ransomware tried to kill any running virtual machines, setup permissive symlinks, delete shadow copies, and clear event logs.”

Victims were left with encrypted files and a RansomHub ransom note.

The adversary’s playbook was notable not for zero-days, but for its efficiency with legitimate tools and Windows features:

• RDP sessions to move and operate interactively
• MMC snap-ins (e.g., dnsmgmt.msc, dssite.msc) to explore and control the domain
• Credential theft without triggering early detections
• Persistence through remote management software
• Defense evasion via vssadmin, wevtutil, and symlink abuse

This case reinforces the need to:

• Disable or strictly restrict RDP exposure to the internet
• Monitor for anomalous Event ID 4624 (logon), 7045 (service install), and Sysmon Event IDs
• Detect credential theft patterns and unauthorized RMM deployments
• Inspect data egress over unexpected SFTP tunnels, even if port 443 is used

As the DFIR Report team concludes:

“The Time to Ransomware (TTR) for this intrusion was around 118 hours over six calendar days.”

Related Posts:

• RansomHub: A New Ransomware-as-a-Service Threatens Multiple Operating Systems
• RMM Tools: The New Weapon of Choice for Cybercriminals
• Russian IP Networks Fuel North Korea’s Global Cybercrime and Espionage Campaigns
• Rogue RDP: Abusing RDP for File Theft and Espionage
• Midnight Blizzard Targets 100+ Organizations in RDP Phishing Attack