RDP brute forcing continues to be a favorite entry point for ransomware actors. In this past month we saw activity from the Lockbit ransomware family. RDP login from 165.231.142.36. Threat actor logged in, then switched accounts to a DA 15 minutes later. Unlike other actors we’ve seen in the lab or in other reports take meticulous inventory and thoroughly enumerate a victim environment this actor moved straight into final phase activity.