We have suffered a RYUK ransomware attack, and we are in the analysis of events. On a server, in the time slot of the attack, I see in the event of RDP connections, in event ID 1149, connections with the Source Network Adress corresponding to that of the server ?! How is it possible ? there should be the ip of the client that connects to the server ... right?
thanks a lot for your help