Ransomware Intrusion Following Exposed RDP Service
ID: ae877776-432c-44b2-a9cc-5eadbdb884c5
STIX ID: report--ae877776-432c-44b2-a9cc-5eadbdb884c5
Threat Score
75/100
A retail environment suffered a hands-on-keyboard ransomware attack after successful RDP access on 10 April 2026; attackers used a local administrator account, disabled endpoint protection, created a backup_support account, ran netscan64.exe for discovery, moved laterally via SMB, and deployed locker.exe which encrypted files (appending .blackforge) and dropped RECOVER-FILES.txt. Observed IOCs include source IP 103.27.202.88, new account backup_support, malware filename locker.exe, ransom note RECOVER-FILES.txt, extension .blackforge, and SHA256 c14b4cbabf6b6e1df4fbb0c96a39ccf8570ef84f7b8cb0e560fbec9d8b7ae2d3.