Prevent undetectable malware and 0-day exploits with AppGuard!

How RansomHub Used RDP Exposure to Deploy RansomHub Ransomware

Tony Chiappetta
by Tony Chiappetta
August 22, 2025

Stop the RansomHub Playbook in Its Tracks

In a revealing case outlined by Cybersecurity News, threat actors deployed RansomHub ransomware by exploiting an exposed Remote Desktop Protocol (RDP) server showcasing the harsh reality of over-reliance on detect-and-respond strategies Cyber Security News.

The Attack Unfolded Over 118 Hours

  • Initial Access via RDP
    In November 2024, attackers conducted a password-spray attack against an internet-facing RDP server, compromising six user accounts using malicious IPs.

  • Credential Harvesting & Discovery
    Once inside, they escalated privileges and deployed Mimikatz and Nirsoft to extract credentials from LSASS memory. Tools like Advanced IP Scanner and NetScan were used to map out the environment.

  • Persistence & Movement
    Remote administration tools—Atera and Splashtop—were installed on backup servers to maintain access, while lateral moves targeted domain controllers and critical systems.

  • Data Exfiltration
    On day three, Rclone was used with custom scripts to exfiltrate over 2 GB of sensitive files via SFTP over port 443.

  • Ransomware Deployment & Impact
    On day six, the RansomHub binary (amd64.exe) was unleashed. It spread via SMB, encrypted files, deleted backups, and cleared logs completing the chain in about 118 hours.

Why Detect-and-Respond Is Not Enough

This case shines a spotlight on how “low-and-slow” tactics, legitimate tools, and automation help attackers stay under the radar. By the time detection triggers, attackers may already be entrenched. Organizations must shift to a model that isolates threats before they escalate.

The AppGuard Way: Isolation and Containment from Day One

Enter AppGuard-a proven endpoint protection platform with over ten years of track record and now available for commercial use. Rather than waiting to detect threats, AppGuard enforces strict application isolation, preventing unauthorized code execution and credential theft in the first place.

  • Blocks tools like Mimikatz by preventing unauthorized access to LSASS memory.

  • Contains lateral movement by isolating processes within controlled containment zones.

  • Stops exfiltration tools such as Rclone before they can execute outbound data transfers.

Stop playing the crazy game of “detect-and-respond.” Come over to the AppGuard way.

Final Thoughts

The RansomHub RDP attack is yet another wake-up call that reactive defenses delay the inevitable—compromise before containment. Businesses deserve better. It’s time to move from playing catch-up to proactively containing threats.

Business owners, let’s talk. Reach out to us at CHIPS to explore how AppGuard can prevent attacks like RansomHub—from the inside out. Let’s shift from detect-and-respond to isolation and containment, once and for all.

Like this article? Please share it with others!

 
Tags:
AppGuard, 0-day, Ransomware
Tony Chiappetta
Post by Tony Chiappetta
August 22, 2025
Follow me on my website Follow me on LinkedIn

Comments
How You Can Achieve Zero Trust Protection on an Endpoint

How You Can Achieve Zero Trust Protection on an Endpoint

Some IT Professionals say Zero Trust is impossible to implement however, the US Federal Government has been using these principles for decades.  Download our White Paper to learn how to fully secure your computers.