The RansomHub Ransomware Attack: A Detailed Analysis of a Sophisticated Cyber Intrusion
In November 2024, a meticulously orchestrated cyber attack unfolded, marking a significant escalation in the realm of ransomware threats. This incident, involving the RansomHub ransomware, was recently reported by DFIR Labs, shedding light on the alarming tactics employed by threat actors in today’s digital landscape.
A Sophisticated Attack Unfolds
The assault commenced with a password spray attack targeting an exposed Remote Desktop Protocol (RDP) server. Over a four-hour window, the attacker exploited multiple user accounts, leveraging weak passwords to gain unauthorized access. The attack originated from malicious IP addresses associated with previous cyber incidents (185.190.24.54 and 185.190.24.33). Eventually, the attacker authenticated into six accounts and escalated privileges using a different IP (164.138.90.2).
This initial breach, marked by Windows Security Log Event ID 4624, set the stage for a multi-day operation characterized by credential harvesting, network discovery, and the eventual deployment of ransomware. The attack was detailed in a February 2025 Threat Brief and featured in DFIR Labs’ June 2025 Forensics Challenge, highlighting the persistent vulnerabilities associated with RDP in modern networks.
From Credential Theft to Network Domination
Once inside the network, the threat actor wasted no time. They deployed notorious credential harvesting tools such as Mimikatz and Nirsoft’s CredentialsFileView to extract sensitive data from the compromised host and beyond. Mimikatz accessed LSASS memory to dump plaintext credentials, while output files named after child domains indicated targeted checks for domain administrator accounts across the environment.
Simultaneously, the attacker initiated discovery operations using living-off-the-land binaries like ‘net’ and ‘nltest’ to map users, groups, and trust relationships. Third-party tools, including Advanced IP Scanner and SoftPerfect NetScan, were employed for broader network enumeration. These scans, evidenced by Sysmon logs and artifacts like temporary ‘delete[.]me’ files, targeted critical ports (135, 445, 3389) to identify vulnerable hosts.
Lateral movement was executed via RDP and SMB, allowing the attacker to compromise domain controllers, backup servers, and hypervisors. High-privileged accounts were utilized to access file shares and reset user passwords, ensuring persistence through legitimate remote management tools like Atera and Splashtop. This blending of malicious activity with routine administrative traffic complicated detection efforts, as logs revealed the use of virtualized environments (e.g., VirtualBox NAT IP 10.0.2.15) for operations.
The Climax: Data Exfiltration and Ransomware Deployment
On the third day of the attack, data exfiltration commenced. Utilizing Rclone over SFTP, the attacker transferred 2.03 GB of targeted files—including documents, emails, and images—to a remote server (38.180.245.207:443) within a mere 40 minutes. This operation was facilitated by scripts like ‘nocmd.vbs’ and ‘rcl.bat’.
The culmination of this multi-day operation occurred on the sixth day with the deployment of RansomHub ransomware, executed through a binary named ‘amd64.exe’. The ransomware was spread across the network via RDP and Splashtop sessions, encrypting files, deleting shadow copies, clearing event logs, and leaving ransom notes. With a Time to Ransomware (TTR) of 118 hours, this attack exemplified the devastating potential of combining stolen credentials, network reconnaissance, and ransomware.
Mitigation Strategies for Defenders
In light of this sophisticated attack, defenders must prioritize securing RDP endpoints and monitoring for anomalous logins. Implementing detection rules for tools like Mimikatz and Rclone is crucial in mitigating such threats. Regularly updating passwords, employing multi-factor authentication, and conducting security awareness training for employees can further bolster defenses against similar attacks.
Indicators of Compromise (IOCs)
Understanding the indicators of compromise is essential for organizations to detect and respond to similar threats. The following IOCs were identified during the RansomHub attack:
| Type | Indicator Description |
|---|---|
| RDP Password Spray IPs | 185.190.24.54, 185.190.24.33 |
| RDP Initial Access IP | 164.138.90.2 |
| Exfiltration Destination | 38.180.245.207:443 |
| Ransomware Binary (amd64.exe) | SHA256: ec45ebd938e363e36cacb42e968a960fbe4e21ced511f0ea2c0790b743ff3c67 |
Conclusion
The RansomHub ransomware attack serves as a stark reminder of the evolving landscape of cyber threats. As attackers become increasingly sophisticated, organizations must remain vigilant and proactive in their cybersecurity measures. By understanding the tactics employed in such attacks and implementing robust security protocols, defenders can better protect their networks from the looming threat of ransomware.