CPU Spike Exposed RansomHub Ransomware Attack

A recent cybersecurity incident was narrowly averted when an unusual CPU spike on a client’s server signaled an active attack by RansomHub ransomware affiliates. Over a critical 48-hour period, security experts worked alongside the client to investigate, contain, and fully remediate the intrusion before any ransomware could be deployed. Thanks to swift and advanced intervention, the organization’s network was secured without any disruption to business operations.

The attack began when an employee downloaded and ran a file disguised as a legitimate browser update, which was actually a malicious JavaScript payload. This single click initiated automated reconnaissance and command-and-control actions, including enumerating Active Directory users and computers, gathering local system details, and searching for credentials stored in memory.

Within minutes, the attackers established persistence by deploying second-stage malware as a recurring Scheduled Task. They also downloaded an official Python distribution into the %LOCALAPPDATA%\ConnectedDevicesPlatform folder, along with an encrypted Python script that functioned as a SOCKS proxy, creating a direct link between the corporate network and the attacker’s infrastructure over the internet.

The encrypted script was protected by a sophisticated 10-layer unpacking routine, with each stage decrypting the next. Randomized variable names and multiple anti-analysis techniques, such as virtual machine detection, debug detection, and process tracing detection, were used to hinder reverse engineering. A custom unpacking tool was developed to retrieve the final payload in plaintext.

That final payload was a SOCKS proxy designed to route communications between attacker-controlled endpoints and the internal network through the compromised host. In a separate tactic, the threat actor modified all email signatures stored in $env:APPDATA\Microsoft\Signatures by inserting a malicious image reference. This subtle change could have gone unnoticed but might have been used to trigger NTLM authentication attempts on vulnerable clients, potentially harvesting additional credentials.

Following the initial endpoint compromise, the adversary immediately began searching for credentials and privilege escalation paths across the network. They scanned network shares for files containing authentication data, such as RDP configurations, OVPN files, and KeePass vaults, and used PowerShell commands to automate the reconnaissance. The attackers also targeted browser-stored credentials, attempting to decrypt passwords from Chrome and Edge using the Data Protection API (DPAPI) to access login data and local state files.

With network access established through a tunnel and control over the compromised device, the threat actor gained control of a Domain Admin account just four hours after the initial breach. Investigation revealed that, approximately two hours post-compromise, an ADFS account from the infected workstation authenticated to a read-only Domain Controller with administrative privileges. The logon session included the SeTcbPrivilege assignment, enabling impersonation of any user, including Domain Admins or SYSTEM.

An audit of the Active Directory environment uncovered several weaknesses, most notably misconfigured certificates in Certificate Services (AD CS) that could be exploited for privilege escalation via ESC1. It is believed the attacker identified and leveraged this misconfiguration to rapidly obtain high-level access.

Once administrative privileges were secured, the attacker expanded their reach across the network. They targeted laptops used by domain admins, enabling Remote Desktop Protocol (RDP) via remote service and registry modifications, and used tools like reg.exe and netsh.exe to open port 3389. Before interactively accessing a device, they checked for active users with quser. On unused systems, they deployed credential-harvesting scripts via batch files, which were deleted immediately after execution.

Beyond standard discovery methods, such as abusing ping, nltest, net, and qwinsta, the attackers also used installed copies of Microsoft Word, Visio, and Excel to open internal documents related to ESXi hosts, Azure VM networking, server readmes, and client architecture. This unusual step provided clear insight into their deliberate, targeted approach.

About 24 hours after the initial breach, the attacker, now in possession of Domain Admin rights, initiated data exfiltration using AzCopy, a Microsoft Azure utility. They copied large volumes of recent data from selected directories, causing a massive increase in file access events. The exfiltration activity triggered the original CPU spike that alerted the client.

Security teams quickly identified the threat’s persistence mechanisms and associated indicators of compromise (IOCs). A coordinated cut-off was executed across the network to remove all malicious access, giving the client time to remediate and preventing the attack from escalating into ransomware. Analysis of the tactics, techniques, and procedures (TTPs) and IOCs linked this intrusion to RansomHub affiliates using SocGhoulish malware for initial access.

Timely intervention allowed the customer to eradicate the threat completely without any business impact. Had the CPU spike gone unnoticed for even a few more hours, ransomware would almost certainly have been deployed across the environment.

(Source: Bleeping Computer)