Full Report
Key Takeaways The DFIR Report Services Contact us today for pricing or a demo! The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system. Notably, there was no evidence of credential stuffing, brute forcing, or other failed authentication attempts from the source IP, indicating the […] The post Cat’s Got Your Files: Lynx Ransomware appeared first on The DFIR Report.
Analysis Summary
# Incident Report: Lynx Ransomware Intrusion
## Executive Summary
In March 2025, a threat actor utilized compromised credentials to access an internet-exposed system via Remote Desktop Protocol (RDP). Over a span of nine days, the attacker moved laterally to domain controllers, exfiltrated sensitive data to a temporary web service, and ultimately deployed Lynx ransomware. The incident resulted in the encryption of file and backup servers after the intentional deletion of backup jobs.
## Incident Details
- **Discovery Date:** Late March 2025
- **Incident Date:** Early March 2025
- **Affected Organization:** Not disclosed
- **Sector:** Not disclosed
- **Geography:** Not disclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2025
- **Vector:** External Remote Services (RDP)
- **Details:** Successful logon to an internet-exposed system using valid credentials. No brute-force or credential stuffing was observed, suggesting the use of previously stolen credentials (likely from an infostealer or access broker).
### Lateral Movement
- Within minutes of initial access, the actor used a compromised Domain Admin account to access a Domain Controller.
- The actor created multiple "impersonation-style" accounts (look-alikes) and added them to privileged groups to blend in with legitimate administrative activity.
- The actor moved across the network using RDP to reach virtualization infrastructure and backup servers.
### Data Exfiltration/Impact
- **Exfiltration:** Sensitive files were identified via network share discovery, collected, and compressed using 7-Zip. Data was exfiltrated to the service `temp[.]sh`.
- **Impact:** The actor connected to backup servers to delete existing backup jobs and history. Lynx ransomware was then manually executed via RDP across critical file and backup servers.
### Detection & Response
- **Discovery:** Detection occurred during the ransomware deployment phase (approximately 178 hours after initial access).
- **Response Actions:** The incident was identified through suspicious execution of system tools and the encryption of files.
## Attack Methodology
- **Initial Access:** Valid Accounts (T1078) via RDP (T1133).
- **Persistence:** Create Account (T1136.002) - look-alike administrative accounts.
- **Privilege Escalation:** Domain Groups (T1098.007) - adding new accounts to high-privilege groups.
- **Defense Evasion:** Use of impersonation accounts; high-integrity level process execution.
- **Credential Access:** Likely pre-compromised; later used Network Share access (T1021.002).
- **Discovery:** Network Share Discovery (T1135), System Information Discovery (T1082), and Remote System Discovery (T1018).
- **Lateral Movement:** Remote Desktop Protocol (T1021.001).
- **Collection:** Archive via Utility (T1560.001) using 7-Zip.
- **Exfiltration:** Exfiltration Over Web Service (T1567) to `temp[.]sh`.
- **Impact:** Inhibit System Recovery (T1490) by deleting backups and Data Encrypted for Impact (T1486).
## Impact Assessment
- **Financial:** High (Ransom demand and recovery costs).
- **Data Breach:** Exfiltration of sensitive data from multiple network shares.
- **Operational:** Severe disruption; encryption of file servers and destruction of backup infrastructure.
- **Reputational:** Potential impact depending on the nature of leaked data.
## Indicators of Compromise
- **Network:** `temp[.]sh` (Exfiltration point)
- **Behavioral:**
- Creation of unauthorized Domain Admin accounts.
- Use of `hostname`, `systeminfo`, and `nltest` for rapid enumeration.
- Manual deletion of backup jobs via RDP.
- Execution of 7-Zip for large-scale compression on file shares.
## Response Actions
- **Containment:** Disconnection of compromised systems and internet-exposed RDP interfaces.
- **Eradication:** Removal of unauthorized look-alike administrative accounts and malicious binaries.
- **Recovery:** Restoration from off-site/offline backups (where available, as local backups were targeted).
## Lessons Learned
- **Credential Hygiene:** The lack of brute-force attempts indicates that passwords were known, highlighting the danger of single-factor authentication on RDP.
- **Privileged Account Monitoring:** The creation of look-alike admin accounts was a primary persistence mechanism that could have been alerted upon earlier.
- **Backup Security:** Backup servers were accessible via the same credentials as the rest of the domain, allowing the attacker to destroy the primary recovery path.
## Recommendations
- **MFA:** Enable Multi-Factor Authentication on all external-facing services, especially RDP and VPNs.
- **RDP Hardening:** Place RDP behind a Gateway or VPN and restrict access to known-good IP addresses.
- **Immutable Backups:** Implement "air-gapped" or immutable backups that cannot be modified or deleted by compromised domain administrator accounts.
- **Alerting:** Implement real-time alerts for the creation of new accounts in privileged Active Directory groups.