A recent incident response investigation from THE DFIR report has revealed the sophisticated tactics employed by RansomHub ransomware operators in a coordinated attack campaign that compromised an entire corporate network through an exposed Remote Desktop Protocol (RDP) server. The attack culminated on day six with the deployment of the RansomHub ransomware payload, distributed as “amd64.exe”. The malware demonstrated sophisticated propagation capabilities, using Server Message Block (SMB) protocol to transfer copies of itself to remote hosts and execute via Windows remote services. The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency have identified RansomHub as one of the most active ransomware groups of 2024, with over 210 confirmed victims across critical infrastructure sectors. These legitimate network administration tools allowed the threat actors to identify active systems, open ports, and potential lateral movement targets across the compromised environment. Organizations are advised to implement multi-factor authentication for RDP access, restrict remote desktop exposure, and deploy advanced endpoint detection capabilities to identify credential harvesting activities. The attack, which occurred in November 2024, demonstrates the evolving threat landscape facing organizations with remote access infrastructure. The use of Rclone demonstrates the trend among ransomware groups toward “double extortion” tactics, where stolen data serves as additional leverage for ransom demands beyond simple file encryption. Prior to encryption, the ransomware performed defensive actions, including shutting down virtual machines, deleting volume shadow copies, and clearing Windows event logs to hinder recovery efforts and forensic analysis. The attackers generated CSV output files corresponding to each domain, suggesting they were systematically verifying administrative access across the entire corporate infrastructure, reads the report. Threat actors operating from IP addresses 185.190.24[.]54 and 185.190.24[.]33 successfully compromised six user accounts, with open-source intelligence confirming these addresses had a prior history of malicious activities targeting administrative interfaces and firewalls.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 30 Jun 2025 02:40:20 +0000