Portfolio
Cybersecurity Services
Securing your digital journey with resilient, adaptive cyber defense.

E2E Zero Trust Solutions

Replacing implicit trust with continuous, identity-centric security.

Securing AI & Post Quantum Cybersecurity

Enabling next-gen security for AI innovation and quantum resilience.

Hyperscalers Security

Securing your cloud-native infrastructure at hyperscale speed and precision.

Managed Security Services

DDoS Threat Exposure Management

Continuous Threat Exposure Management (CTEM)

Digital Forensics and Incident Response

Cyber Trust Advisory

Offensive Cybersecurity

Project Management

Professional Services

24 X 7 Support

Public Key Infrastructure (PKI)

End-to-end cybersecurity. Built for today’s threats.

Cloud Security

SecOps

OT & IoT Security

Identity Fabric Immunity

Data Security & Privacy

Application Security

Endpoint Security

Network Security

Malware Analysis

Secure Access Service Edge (SASE)

Eliminating implicit trust across your digital estate.

Microsoft Security Services

Google Cloud Security Services

AWS Security Services

Cloud-native security designed for hyperscale environments.
About
Our Story

Mission & Vision

Principles

Leadership
Resources

Blog Post

Stay updated with our latest news, press releases, & more.

Media

Insights and analysis on the latest trends & technologies.

Videos

Watch & learn from our insightful video gallery

Threat Advisories

Critical updates and alerts on emerging threats.

Reports & Whitepapers

In-depth research and analysis on key cybersecurity topics.

Service Briefs

Comprehensive guides and technical documents.

Case studies

Real-world examples of our solutions in action across industries.

Customer Insight story

Real feedback and impact from our customers' experiences.
Events
Trust Center
Partners
Careers
Why Join Us

Join our Talent Community

Blog

LockBit3 Ransomware Breach

By Help AG

Help AG CTI has observed a recent intrusion chain targeting a UAE based entity where threat actors exploited misconfigured Remote Desktop Protocol (RDP) services to gain unauthorized access to victim environments. Following initial access, the actors conducted discovery using SoftPerfect Network Scanner and Advanced IP Scanner, deployed MeshAgent for persistence, harvested credentials via Mimikatz, and disabled security software to evade defenses. The attackers subsequently leveraged RDP for lateral movement across the environment before deploying LockBit ransomware, leading to the encryption of systems and business disruption. This activity is consistent with LockBit Ransomware-as-a-Service (RaaS) affiliate operations. LockBit affiliates commonly exploit exposed RDP, leverage off-the-shelf tools for reconnaissance, and conduct ransomware deployment as the final stage of their attacks.

TTPs:

T1133 – External Remote Services – RDP access gained due to misconfiguration

T1046 – Network Service Scanning – SoftPerfect and Advanced IP Scanner used for discovery

T1003.001 – OS Credential Dumping: LSASS Memory – Mimikatz used to dump credentials

T1562.001 – Impair Defenses: Disable or Modify Tools – security software disabled

T1021.001 – Remote Services: RDP – RDP used for lateral movement

T1486 – Data Encrypted for Impact – LockBit ransomware deployed

Recommendations:

Restrict or disable external RDP access; enforce VPN and MFA for all remote access.

Regularly review Active Directory accounts and disable unused/legacy RDP-enabled accounts.

Deploy endpoint detection and response (EDR) to monitor for MeshAgent and Mimikatz execution.

Configure anti-malware solutions to prevent tampering or disablement by unauthorized users.

Monitor for anomalous RDP session activity and lateral movement attempts.

Maintain up-to-date offline backups to support recovery in case of ransomware impact.

Indicators of Compromise (IoCs) related to this activity are available to Help AG CTI Premium customers. For access to detailed IoC packages and tailored threat intelligence support, please contact Help AG.