Lynx Ransomware Intrusion Detailed in Full Attack Chain Report
The DFIR Report has published a detailed breakdown of a Lynx ransomware intrusion that began with a single RDP logon using compromised credentials, revealing the full attack chain and C2 infrastructure.
A newly published incident analysis from The DFIR Report lays out the complete timeline and technical details of a Lynx ransomware intrusion that struck an unnamed organization in early March 2025. The attack began with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system, with no evidence of credential stuffing or brute-forcing—indicating the threat actor already possessed valid credentials before making the connection. The report assesses that these credentials were likely obtained via an infostealer, data breach reuse, or purchased through an initial access broker.
Within minutes of the initial logon, the attacker conducted reconnaissance using command prompt utilities and SoftPerfect Network Scanner (netscan), then moved laterally to a domain controller via RDP using a separate compromised domain admin account. On the domain controller, the threat actor created two impersonation-style accounts—one named "administratr" and another altered by a single character from an existing account—and added both to privileged groups including Domain Administrators. To establish persistence, the attacker installed the AnyDesk remote access client, though it was never used during the remainder of the intrusion.
The threat actor then mapped out virtualization infrastructure, browsed several network file shares, and created one additional look-alike account before pausing activity for six days. When they returned, they resumed reconnaissance with netscan, downloaded NetExec, and conducted a password spray attack over port 445. After browsing multiple file shares, the attacker compressed the contents using 7-Zip and exfiltrated them to the temporary file-sharing service temp[.]sh.
Approximately nine hours after the exfiltration activity, the threat actor returned via RDP from a new source IP address associated with Railnet LLC—a company previously identified as a front for Virtualine, which operates infrastructure linked to criminal networks. During this phase, the attacker connected to additional domain controllers and hypervisor systems via RDP, executing discovery commands and using the Microsoft Management Console (MMC) to enumerate user accounts and permissions. They also leveraged earlier netscan results to identify additional network infrastructure and attempted to access these systems by launching browser sessions directly from within netscan.
On the ninth day of the intrusion, the threat actor returned for the final time. After one last round of network scanning on the beachhead host, they connected via RDP to a backup server and deleted existing backup jobs. The attacker then deployed and executed Lynx ransomware across multiple backup and file servers via RDP, with the overall Time to Ransomware (TTR) measured at approximately 178 hours. The report notes that the actor used living-off-the-land binaries (LoLBin) throughout the operation to minimize their forensic footprint.
The DFIR Report's analysis provides full indicators of compromise (IOCs), including C2 infrastructure details and the specific system artifacts left behind during each phase of the attack. The case underscores how a single set of compromised credentials combined with existing domain admin accounts can enable a complete ransomware deployment even without brute-forcing or on-host privilege escalation. Organizations are urged to eliminate internet-facing RDP, enforce multi-factor authentication, and monitor for the creation of impersonation accounts and the use of remote access tools like AnyDesd on domain controllers.