Anatomy of a Thwarted RansomHub Attack: From CPU Spike to Domain Admin

A sudden, unexplained CPU spike on a corporate server, often dismissed as a minor performance issue, was the critical anomaly that led a security team to uncover a sophisticated RansomHub ransomware attack already in progress. The incident, detailed in a Varonis case study¹, serves as a powerful lesson in modern threat detection, illustrating how attackers blend common tools with advanced techniques to compromise entire networks. This attack was ultimately stopped before any files were encrypted, preventing significant business disruption and highlighting the importance of monitoring for subtle, non-traditional indicators of compromise.

The ransomware ecosystem in 2025 is characterized by its speed and resilience. According to the Symantec Threat Hunter Team’s 2025 White Paper¹⁰, ransomware actors claimed 4,873 attacks in 2024, a 3% increase from the previous year. This growth occurred despite significant law enforcement actions against groups like LockBit, demonstrating the ecosystem’s ability to quickly adapt. RansomHub, in particular, emerged in February 2024 and rapidly grew to become the second-largest ransomware operation by the end of the year, aggressively recruiting affiliates from other groups by offering a 90% cut of ransoms¹⁰. The attack described by Varonis provides a real-world view of this group’s operational playbook.

The Attack Chain: From Fake Update to Full Control

The initial compromise began with a user being tricked by a fake browser update, a common social engineering tactic associated with the SocGholish malware framework¹. This led to the execution of a malicious JavaScript file, which established the attacker’s first foothold. For persistence, the attacker created a Scheduled Task, a standard Windows feature that is frequently abused to maintain access. A multi-stage Python script was then deployed, acting as a SOCKS proxy to relay traffic and obscure the attacker’s true command and control infrastructure. This initial phase relied heavily on living-off-the-land techniques, using tools and features already present in the environment to avoid detection by signature-based security solutions.

Discovery and credential harvesting began immediately. The attacker used PowerShell to scan the network for credentials and attempted to decrypt browser passwords by exploiting the Data Protection API (DPAPI). In a clever move to propagate the infection, the attacker modified the email signatures of all users to include a malicious link, a technique that could have exponentially increased the attack’s reach within the organization. The speed of the attack was notable; within just four hours, the attacker managed to escalate privileges to Domain Administrator level. This was achieved by exploiting a misconfiguration in Active Directory Certificate Services (AD CS), specifically the ESC1 vulnerability, which allows a low-privileged user to request a certificate that grants domain admin rights¹.

Lateral Movement and the Telltale CPU Spike

With domain administrator privileges, the attacker moved freely through the network. They used commands like `sc.exe` and `reg.exe` to enable Remote Desktop Protocol (RDP) on administrative laptops, creating multiple points of entry. Data-gathering scripts were deployed across systems via Scheduled Tasks, which were immediately deleted after execution to cover their tracks. A particularly interesting technique involved using Microsoft Office applications to open internal documents directly on compromised servers, a method that likely helped them identify valuable data while blending in with normal user activity. The final stage before encryption was data exfiltration.

The attacker used the legitimate cloud utility AzCopy to transfer large volumes of data out of the network. This massive, systematic access of files generated an unusual load on the server, manifesting as a significant CPU spike. While many monitoring systems might focus on detecting malicious software or known exploits, this incident shows that performance anomalies can be a primary indicator of a live attack. The security team investigated this anomaly and discovered the ongoing data exfiltration, allowing them to intervene before the ransomware payload was deployed. The outcome was a complete eradication of the threat with zero business downtime¹.

RansomHub in the Wider Threat Landscape

The Varonis case study is not an isolated incident. The Symantec white paper details another large-scale RansomHub attack from September 2024 that showcases similar techniques¹⁰. In that case, the attackers used `net.exe` to create a new user, executed 170 registry commands to cripple Windows Defender, and used tools like FreeFileSync and FileZilla for data exfiltration. Darktrace’s investigation has also linked RansomHub to the established cybercrime group ShadowSyndicate⁸, indicating that this ransomware is a tool used by experienced operators. These parallel cases confirm a consistent playbook focused on tool abuse and operational sabotage.

The broader ransomware trends for 2025 underscore why such attacks are so effective. The Unit 42 Global Incident Response Report notes that the median time from initial compromise to data exfiltration is now about two days, with 19% of cases seeing exfiltration in less than one hour⁶. Furthermore, attackers are increasingly prioritizing intentional disruption, with 86% of incidents involving actions to destroy systems and cause maximum operational downtime, moving beyond simple data encryption⁶. This shift makes early detection, as demonstrated in the CPU spike case, even more critical for business continuity.

Systemic Weaknesses and Defensive Posture

The success of these attacks often hinges on systemic weaknesses within an organization’s IT environment. An analysis by Unit 42 identifies three core enablers: complexity from disparate security tools, gaps in visibility into unmanaged assets and cloud services, and excessive trust through overly permissive accounts⁶. In the RansomHub case, a misconfiguration in AD CS was the direct cause of the domain takeover, a finding consistent with Unit 42’s observation that identity and access management issues were a contributing factor in 41% of all incidents⁶.

A consolidated set of defensive recommendations can be drawn from the analyzed sources to counter these threats. Prevention starts with relentless patching and enforcing multifactor authentication (MFA) on all remote access and administrative accounts. Hardening identity systems, especially by auditing Active Directory for misconfigurations like those in AD CS, is paramount. For detection, organizations must achieve comprehensive monitoring with Endpoint Detection and Response (EDR) solutions configured to detect the abuse of living-off-the-land binaries (LOLBins). Implementing data-centric security solutions that monitor for anomalous file access patterns can directly flag the kind of mass data exfiltration that caused the critical CPU spike¹. Finally, maintaining secure, immutable backups and having a tested incident response plan are essential for resilience and recovery³, ⁶, ¹⁰.

The story of the CPU spike that uncovered a RansomHub attack is a compelling example of modern cybersecurity defense. It underscores that while attackers are becoming faster and more destructive, their activities are not invisible. By monitoring for subtle behavioral anomalies, understanding attacker tradecraft, and shoring up fundamental security controls like identity management, organizations can detect and neutralize advanced threats before they cause irreversible damage. This incident provides a clear blueprint for turning a potential disaster into a successful defensive operation.