Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server

An SFTP-only Windows Server 2012 was compromised through CVE-2019-18935 in Telerik UI, enabling unauthenticated RCE, PowerShell-led Defender exclusions, and creation of a backdoor admin before persistence was set via a rogue Userinit and firewall changes; after a brief lull, the attacker used Ngrok to tunnel RDP over loopback (::1), gained interactive access, and executed a ransomware operation configured by sil3ncer.json that encrypted files with a .sil3ncer extension and dropped SORRY-FOR-FILES.txt ransom notes, then ran a cleanup script and removed the backdoor account; the report provides guidance to patch third-party components, increase log retention/forwarding, detect suspicious PowerShell/netsh activity, block tunneling services, and properly harden/disable RDP.