Ransomware Initial Access Brokers Exposed

SUMMARY :

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's unusual behavior of searching for credentials in files prompted further investigation. Analysis of the IP addresses revealed connections to Hive ransomware and BlackSuit. Pivoting from TLS certificates uncovered a network of geographically distributed infrastructure with a pattern of domain names. The case highlights the importance of thorough analysis in incident response and provides insights into the operations and motivations of ransomware actors.

OPENCTI LABELS :

vpn,ransomware,rdp,brute force,infrastructure,credential harvesting,blacksuit,initial access brokers,hive,domain enumeration


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ransomware Initial Access Brokers Exposed