How Do RDP Servers Get Hacked? Password Spray Attack Leads to RansomHub Ransomware Breach (2025 Case Study)

Table of Contents

• Why This Case Matters
• 118‑Hour Timeline From Initial Password Spray to Network‑Wide Encryption
• Step‑by‑Step Breakdown of the Attack
• Why Are RDP Servers Still a Prime Target in 2025?
• RansomHub Tactics, Techniques and Procedures (TTPs)
• Defensive Blueprint: How to Stop Similar Attacks
• Key Takeaways
•  Frequently Asked Questions (FAQs)

In late June 2025, incident responders revealed a coordinated attack in which threat actors used a password spray against publicly exposed Remote Desktop Protocol (RDP) servers to compromise an entire corporate network before unleashing the emerging RansomHub ransomware. The campaign, traced to IPs 185.190.24[.]54 and 185.190.24[.]33, unfolded over just six days and offers a textbook example of why RDP hardening and credential hygiene remain critical in 2025. 

Why This Case Matters

• RansomHub’s rise: Although first detected in 2024, RansomHub has quickly become a top‑tier Ransomware‑as‑a‑Service (RaaS) threat, already linked to hundreds of enterprise victims. 

• Password spray revival: Instead of buying logs or phishing, attackers simply cycle common passwords (e.g., Spring2025!) across many accounts, betting at least one will stick.

  
  

• RDP still open: Despite years of guidance, thousands of internet‑facing Windows servers still expose RDP on port 3389, providing a low‑cost beachhead for adversaries.

 118‑Hour Timeline From Initial Password Spray to Network‑Wide Encryption

Step‑by‑Step Breakdown of the Attack

1. Initial Access: Password Spray via RDP

Attackers bombarded an internet‑facing RDP gateway with a curated list of weak but realistic passwords over four hours. Because account lockout thresholds were set high, no alarms tripped until after compromise.

Red flag: Event ID 4625 spikes from a small set of IPs are an early indicator.

2. Credential Harvesting and Privilege Escalation

Once inside, the threat actor ran Mimikatz and CredentialsFileView to dump LSASS memory and decrypt stored credentials, ultimately obtaining domain‑admin rights. 

3. Discovery & Lateral Movement

Using living‑off‑the‑land commands (net, nltest, nslookup) and GUI tools like Advanced IP Scanner and NetScan, they mapped the environment, then hopped via RDP to domain controllers, backup servers, and hypervisors.

4. Data Exfiltration

Before detonating ransomware, the actor launched Rclone to siphon sensitive documents, emails, and database files to a remote SFTP server—classic double‑extortion prep.

5. RansomHub Deployment

The finale involved dropping amd64.exe, which:

• Disabled shadow copies (vssadmin delete shadows)

• Killed running VMs (PowerShell)

• Encrypted local and remote shares over SMB

• Left a ransom note linking to RansomHub leak site

Trend Micro notes that RansomHub routinely targets large enterprises expecting big payouts, aligning with this playbook. 

Why Are RDP Servers Still a Prime Target in 2025?

1. Legacy dependencies: Many organizations still rely on RDP for third‑party access or legacy apps.

2. Misconfigured brute‑force protections: Account lockouts or MFA are often disabled “temporarily” and never re‑enabled.

3. Credential reuse: Users recycle passwords across VPN, O365, and RDP—fuel for password spraying.

4. Cheap attack surface scanning: Masscan + RockYou2024 wordlists make discovery trivial.

RansomHub Tactics, Techniques and Procedures (TTPs)

Data confirmed by CISA’s #StopRansomware advisory on RansomHub. 

Defensive Blueprint: How to Stop Similar Attacks

Harden RDP Endpoints

• Enforce account lockout after ≤ 5 failed attempts.

• Restrict access with VPN + MFA; never expose RDP directly to the internet.

• Change default port 3389 only as part of layered defense (security by obscurity isn’t enough).

Detect Password Sprays Early

• Correlate Event ID 4625 bursts with single usernames, multiple IPs.

• Leverage fail2ban‑style logic on Windows by scripting firewall bans for repeat offenders.

Implement Credential Guardrails

• Disable NTLM where possible; enforce LSASS protection to block memory dumps.

• Rotate high‑value service and domain‑admin passwords regularly.

Monitor for Living‑off‑the‑Land & Rclone

• Alert on new tools like Advanced IP Scanner.exe or Rclone.exe in unusual paths.

• Egress‑filter unexpected SFTP traffic over port 443.

Prepare for Double‑Extortion

• Keep offline, immutable backups.

• Develop a legal & PR playbook for potential data‑leak negotiations.

Key Takeaways

• Exposed RDP + weak passwords = ransomware invitation.

• Password spray remains low‑tech but highly effective, especially against legacy environments.

• The burgeoning RansomHub RaaS reinforces that new crews quickly adopt proven playbooks.

• Layered defenses—MFA, log analytics, EDR, egress controls—can detect and stop the kill‑chain before encryption.

Protecting remote‑access services isn’t glamorous, but as this 118‑hour case shows, it’s the difference between normal operations and a multimillion‑dollar ransom demand.

FAQs 

What is an RDP password spray attack?

A password spray attack involves trying a few common passwords across many RDP accounts to avoid account lockout and gain unauthorized access.

How was RDP used in the RansomHub ransomware attack?

Hackers used exposed RDP ports to spray passwords, gain login access, escalate privileges, and later deploy RansomHub ransomware.

What is RansomHub ransomware?

RansomHub is a Ransomware-as-a-Service (RaaS) variant used by cybercriminals to encrypt data, demand payment, and threaten to leak stolen files.

How did the attackers gain access to the RDP server?

They performed a password spray from known malicious IP addresses, targeting user accounts with weak or reused passwords.

What is the danger of exposing RDP to the internet?

Public-facing RDP services are easy targets for brute-force and password spray attacks, leading to potential full-network compromise.

What are the IP addresses linked to this attack?

The attack originated from IPs 185.190.24[.]54 and 185.190.24[.]33, both previously associated with malicious activities.

How long did the entire attack last?

The entire breach—from password spray to full encryption—took place over 118 hours (under 5 days).

Which tools were used for credential dumping?

The attackers used tools like Mimikatz and NirSoft utilities to steal credentials from memory.

What tools were used for lateral movement?

They used native Windows commands and tools like Advanced IP Scanner to move laterally within the network.

How was data exfiltrated before encryption?

The hackers used Rclone to exfiltrate sensitive files to a remote SFTP server over port 443.

What types of files were stolen?

Documents, spreadsheets, emails, database exports, and backups were all exfiltrated before ransomware was deployed.

What was the final payload in this attack?

The attackers dropped and executed a ransomware binary called amd64.exe to encrypt files and lock systems.

What signs indicate a password spray is in progress?

Repeated Event ID 4625 logon failures from a few IPs targeting many usernames is a key red flag.

How can organizations protect against RDP-based ransomware?

By enforcing MFA, limiting RDP exposure, monitoring failed logins, and disabling unused accounts.

What is the purpose of wiping shadow copies?

Attackers delete shadow copies to prevent data recovery without paying the ransom.

How can you detect Rclone usage in your network?

Monitor for unusual outbound SFTP traffic and flag unexpected use of Rclone.exe on endpoints.

Is changing the default RDP port effective?

Changing the port adds minor obscurity but is not a substitute for robust authentication and firewall rules.

Why is password reuse dangerous in enterprise environments?

If one account gets compromised, reused credentials can lead to total network compromise.

What is lateral movement in a cyberattack?

Lateral movement is when attackers move between systems after initial access to gain more control and reach high-value targets.

What are common mistakes in RDP configurations?

Weak passwords, disabled MFA, exposed ports, and overly permissive user access are frequent issues.

What is a double-extortion ransomware attack?

It's when attackers steal data before encryption and threaten to leak it unless the ransom is paid.

What’s the importance of immutable backups?

They ensure that backups can’t be altered or deleted during an attack, enabling full recovery.

Should RDP be used at all in 2025?

Yes, but only behind a VPN with MFA, monitored, and properly segmented from sensitive systems.

How does RansomHub compare to other ransomware strains?

RansomHub is newer but mimics successful tactics like exfiltration, stealth, and rapid deployment.

Can EDR tools detect this type of attack?

Yes, if configured properly, EDR can catch password sprays, credential theft tools, and unauthorized lateral movement.

What ports should be monitored or blocked for Rclone exfiltration?

Monitor and restrict ports like 443 and 22 when used for outbound data flows from unexpected systems.

Can password spray attacks be stopped with rate limiting?

Yes, limiting login attempts and introducing delays between failed logins significantly reduces spray attack success.

Why are IT firewalls not enough to stop RDP breaches?

If RDP is allowed through or poorly configured, even strong firewalls can be bypassed via credential attacks.

Is password spraying illegal?

Yes, it is a form of unauthorized access and considered a criminal cyber offense under most global laws.

What should incident response teams look for post-RDP compromise?

Signs of credential dumps, unexpected Rclone activity, lateral movement logs, and unauthorized service installs.