Hide Your RDP: Password Spray Leads to RansomHub Deployment

MITRE Techniques

• [T1110.003] Password Spraying – Initial access via repeated login attempts on RDP using known malicious IP addresses (‘password spray attack targeting an internet-facing Remote Desktop Protocol (RDP) server’).
• [T1003.001] LSASS Memory – Credential dumping using Mimikatz targeting LSASS process memory (‘commands targeting the Local Security Authority Subsystem Service (LSASS) process, such as “sekurlsa::logonpasswords”’).
• [T1083] File and Directory Discovery – Using net commands and MMC snap-ins to enumerate users, groups, and files (‘performed discovery of the victim network and enumerated user groups, domain accounts, and computers’).
• [T1046] Network Service Discovery – Leveraged Advanced IP Scanner and NetScan tools to map the network (‘Advanced IP Scanner was downloaded… and a network scan was initiated’).
• [T1048] Exfiltration Over Alternative Protocol – Data exfiltrated over SFTP using Rclone (‘Rclone was used to exfiltrate data to a remote server using SFTP over port 443’).
• [T1021.001] Remote Desktop Protocol – Lateral movement and persistence via RDP sessions across multiple hosts (‘used RDP to move laterally to two domain controllers and other hosts’).
• [T1133] External Remote Services – Use of Atera and Splashtop remote management for persistent access (‘threat actor deployed Atera and Splashtop RMM tools on several hosts’).
• [T1486] Data Encrypted for Impact – Deployment of RansomHub ransomware encrypting files and disrupting systems (‘ransomware encrypted files and deleted shadow copies on local and remote hosts’).
• [T1070.001] Indicator Removal on Host – Deletion of shadow copies and clearing event logs (‘commands used to remove shadow copies and clear Windows logs’).
• [T1543.003] Windows Service – Ransomware executed remote services to propagate (‘executed ransomware on hosts using remote services creating new service entries’).