An investigation by the Huntress Tactical Response Team into a routine RDP brute-force alert uncovered a sophisticated Ransomware-as-a-Service (RaaS) infrastructure. While initial signals appeared to be standard automated attacks, further analysis revealed unusual manual tradecraft where the threat actor searched for passwords in plain text files using Notepad. This deviation from standard automated playbooks led to the discovery of a geographically distributed network of servers linked to the Hive and BlackSuite ransomware families.
The infrastructure analysis traced malicious TLS certificates to domains like specialsseason[.]com and 1vpns[.]com, uncovering a web of over 30 country-specific proxy servers. These findings highlight the role of initial access brokers (IABs) and the specialized VPN services they utilize to mask their operations. The case underscores the importance of deep-dive forensics, as a single successful login from a noisy brute-force campaign served as the entry point to mapping an entire cybercrime ecosystem.
Top comments (0)