RDP Under Siege: How RansomHub Uses Mimikatz and IP Scanners to Breach Networks

A threat actor using the RansomHub ransomware carried out a painstakingly planned attack beginning in November 2024 in a terrifying cyber intrusion that was recently reported by DFIR Labs.

The assault began with a password spray attack targeting an exposed Remote Desktop Protocol (RDP) server, exploiting multiple user accounts over a four-hour window.

A Sophisticated Attack Unfolds

Originating from malicious IP addresses linked to prior attacks (185.190.24.54 and 185.190.24.33), the attacker successfully authenticated into six accounts, eventually logging in with elevated privileges using a different IP (164.138.90.2).

This initial breach, marked by Windows Security Log Event ID 4624, set the stage for a multi-day operation that spanned credential harvesting, network discovery, and devastating ransomware deployment.

The attack, detailed in a February 2025 Threat Brief and featured in DFIR Labs’ June 2025 Forensics Challenge, underscores the persistent ...