An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's unusual behavior of searching for credentials in files prompted further investigation. Analysis of the IP addresses revealed connections to Hive ransomware and BlackSuit. Pivoting from TLS certificates uncovered a network of geographically distributed infrastructure with a pattern of domain names. The case highlights the importance of thorough analysis in incident response and provides insights into the operations and motivations of ransomware actors.