TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Cat’s Got Your Files: Lynx Ransomware

editor · 2025-12-17 · Read original ↗

ATT&CK techniques detected

73 predictions
T1486Data Encrypted for Impact
100%
“: - – dir e : \ specifies the folder to encrypt, in this case the e drive. - – mode fast specifies the percentage of file to encrypt, in this case 5 %. - – verbose enables output verbosity. - – noprint disables printing out the ransom note on connected printers. after execution, …”
T1046Network Service Discovery
100%
“##lbdz8c9pwaojejoe5oiplvjaiejkasjlyqif2yne1uasjiq4mj + oanvx5k9r7kfg / 97mltbykw4ofmy8pdb 9lshgnx7lagbeagdd22 < / license > < upgrade > 0 < / upgrade > < language > english < / language > < nmap > < / nmap > < autoupdate > < prompt > false < / prompt > < enabled > false < / enabl…”
T1486Data Encrypted for Impact
99%
“archives created by the threat actor, confirming that the multiple archives were exfiltrated individually. impact ransomware deployment on the ninth day of the intrusion, the threat actor moved laterally to several backup servers and file servers via rdp from the beachhead. on th…”
T1486Data Encrypted for Impact
99%
“cat ’ s got your files : lynx ransomware cat ’ s got your files : lynx ransomware key takeaways - the intrusion began with a successful rdp login using already - compromised credentials, likely obtained via an infostealer, data breach reuse, or an initial access broker. - within …”
T1135Network Share Discovery
98%
“[ * ] windows server 2016 standard evaluation 14393 x64 ( name : dc2016a ) ( domain : ocean ) ( signing : true ) ( smbv1 : true ) smb 192. 168. 1. 117 445 win10desk1 [ * ] win10desk1 x64 ( name : win10desk1 ) ( domain : ocean ) ( signing : false ) ( smbv1 : true ) once executed, …”
T1046Network Service Discovery
98%
“discovery immediately after gaining initial access to the beachhead host, the threat actor spawned cmd. exe and performed hands - on - keyboard network and system discovery commands. " c : \ windows \ system32 \ cmd. exe " ipconfig route print systeminfo ping \ redacted ping reda…”
T1021.001Remote Desktop Protocol
98%
“##fbf3271 - 1ef6 - 4e94 - 8210 - 03c2317947f6 : cred dump tools dropped files 259a9cdf - c4dd - 4fa2 - b243 - 2269e5ab18a2 : external remote rdp logon from public ip 78d5cab4 - 557e - 454f - 9fb9 - a222bd0d5edc : external remote smb logon from public ip ac7102b4 - 9e1e - 4802 - 9…”
T1021.002SMB/Windows Admin Shares
96%
“[ * ] windows server 2016 standard evaluation 14393 x64 ( name : dc2016a ) ( domain : ocean ) ( signing : true ) ( smbv1 : true ) smb 192. 168. 1. 117 445 win10desk1 [ * ] win10desk1 x64 ( name : win10desk1 ) ( domain : ocean ) ( signing : false ) ( smbv1 : true ) once executed, …”
T1078Valid Accounts
96%
“other failed authentication attempts from the source ip, indicating the threat actor likely possessed valid credentials before the activity occurred. although the original source of the credentials could not be determined, they are commonly acquired through credential - stealing …”
T1078Valid Accounts
96%
“a logon type 7 ( unlock ) was seen in security event id 4624 logs, indicating an existing rdp session was unlocked. on day two of the intrusion, the threat actor was observed logging into several hypervisors using the “ lookalike 1 ” domain administrator account and the “ adminis…”
T1021.001Remote Desktop Protocol
95%
“obtained prior to the intrusion. the threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the beachhead host without performing any credential access activities, indicating these credentials were also obtained pr…”
T1046Network Service Discovery
94%
“##155f02b7338b108 file : w. exe e2179046b86deca297ebf7398b95e438 3e01df0155a539fe6d802ee9e9226d8c77fd96c9 07b36c1660deb223749a8ac151676d8924bc13aa59e6712a3c14a2df5237264a detections network et drop spamhaus drop listed traffic inbound group 7 et drop spamhaus drop listed traffic …”
T1021.001Remote Desktop Protocol
94%
“sessions directly from within netscan. approximately 24 hours later, on the ninth day of the intrusion, the threat actor returned for the final time. they initiated one last round of network scanning with netscan on the beachhead host before connecting via rdp to a backup server,…”
T1021.002SMB/Windows Admin Shares
94%
“4f89 - 9117 - 44a2464b9511 : smb create remote file admin share 91c945bc - 2ad1 - 4799 - a591 - 4d00198a1215 : suspicious access to sensitive file extensions 7be5fb68 - f9ef - 476d - 8b51 - 0256ebece19e : suspicious execution of hostname 0ef56343 - 059e - 4cb6 - adc1 - 4c3c967c5e…”
T1080Taint Shared Content
92%
“cat ’ s got your files : lynx ransomware cat ’ s got your files : lynx ransomware key takeaways - the intrusion began with a successful rdp login using already - compromised credentials, likely obtained via an infostealer, data breach reuse, or an initial access broker. - within …”
T1021.001Remote Desktop Protocol
92%
“these actions can be observed in browser history events, as well as in process events for microsoft edge, with netscan. exe as the parent process. the threat actor used the open ‘ as web ( http ) ’ shortcut within the netscan gui to view the appliances ’ web portals in the browse…”
T1078Valid Accounts
91%
“for example, new gpos. afterward, the threat actor added “ lookalike 2 ” to a high - privilege group specific to the domain in question. lastly, the threat actor connected to multiple hypervisor servers using these newly created accounts with high privileges. we assess this was l…”
T1021.001Remote Desktop Protocol
91%
“a logon type 7 ( unlock ) was seen in security event id 4624 logs, indicating an existing rdp session was unlocked. on day two of the intrusion, the threat actor was observed logging into several hypervisors using the “ lookalike 1 ” domain administrator account and the “ adminis…”
T1021.001Remote Desktop Protocol
89%
“and hosts were successfully enumerated using the domain admin credentials during scanning. after each execution of netexec, multiple scripts were dropped into the temp directory, which can be used as part of the module functionality built into netexec. however, no modules were us…”
T1550.002Pass the Hash
89%
“a logon type 7 ( unlock ) was seen in security event id 4624 logs, indicating an existing rdp session was unlocked. on day two of the intrusion, the threat actor was observed logging into several hypervisors using the “ lookalike 1 ” domain administrator account and the “ adminis…”
T1018Remote System Discovery
88%
“- v infrastructure, as we observed rdp connections from the beachhead host to three hypervisors. on all three servers, the threat actor launched virtmgmt. msc ( the hyper - v management console ) and also ran systeminfo and regedit. the threat actor was also observed issuing ping…”
T1021.001Remote Desktop Protocol
88%
“system32 \ lusrmgr. msc " " c : \ windows \ system32 \ secedit. exe " / export / cfg c : \ secpol. cfg " notepad. exe c : \ secpol. cfg lusrmgr. msc is the microsoft management console local users and groups snap - in and is used for advanced management of local users and groups.…”
T1078Valid Accounts
87%
“obtained prior to the intrusion. the threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the beachhead host without performing any credential access activities, indicating these credentials were also obtained pr…”
T1078Valid Accounts
86%
“sessions directly from within netscan. approximately 24 hours later, on the ninth day of the intrusion, the threat actor returned for the final time. they initiated one last round of network scanning with netscan on the beachhead host before connecting via rdp to a backup server,…”
T1550.002Pass the Hash
85%
“##eef149c - bd26 - 49f2 - 9e5a - 9b00e3af499b : pass the hash activity 2 d36f7c12 - 14a3 - 4d48 - b6b8 - 774b9c66f44d : potential python dll sideloading c2c76b77 - 32be - 4d1f - 82c9 - 7e544bdfe0eb : potential suspicious activity using secedit ca387a8e - 1c84 - 4da3 - 9993 - 028b…”
T1059.001PowerShell
82%
“##ad7638 - 3862 - 49a2 - 9ddd - af7132f9e598 : using netscan for post - scanning lateral movement b26feb0b - 8891 - 4e66 - b2e7 - ec91dc045d58 : anydesk network d7838d77 - 3a28 - 45cd - bc0e - 7b941b687a39 : hypervisor discovery activity sigma repo : c43c26be - 2e87 - 46c7 - 8661…”
T1135Network Share Discovery
76%
“! audit _ mode = reveal _ chars _ of _ pwd = 0 log _ mode = false ignore _ opsec = true host _ info _ colors = [ " green ", " red ", " yellow ", " cyan " ] [ bloodhound ] bh _ enabled = false bh _ uri = 127. 0. 0. 1 bh _ port = 7687 bh _ user = neo4j bh _ pass = bloodhoundcommuni…”
T1021.002SMB/Windows Admin Shares
75%
“! audit _ mode = reveal _ chars _ of _ pwd = 0 log _ mode = false ignore _ opsec = true host _ info _ colors = [ " green ", " red ", " yellow ", " cyan " ] [ bloodhound ] bh _ enabled = false bh _ uri = 127. 0. 0. 1 bh _ port = 7687 bh _ user = neo4j bh _ pass = bloodhoundcommuni…”
T1210Exploitation of Remote Services
75%
“- v infrastructure, as we observed rdp connections from the beachhead host to three hypervisors. on all three servers, the threat actor launched virtmgmt. msc ( the hyper - v management console ) and also ran systeminfo and regedit. the threat actor was also observed issuing ping…”
T1021.002SMB/Windows Admin Shares
74%
“threat actor then downloaded the network service exploitation tool netexec via microsoft edge. netexec was then executed with the following command : nxc. exe smb redacted / 24 - u redacted - p redacted this command is designed to enumerate a list of live hosts over smb ( port 44…”
T1219Remote Access Tools
73%
“the threat actor saved the resulting archives in the desktop folder of the compromised user. command and control as detailed in the persistence section, anydesk was installed as a service on the domain controller ; however, no further anydesk traffic or activity was observed duri…”
T1078.003Local Accounts
71%
“binaries ( lolbins ), largely for discovery purposes. softperfect netscan was used extensively during the intrusion. while the configuration deployed by the threat actor is detailed in the discovery section, it ’ s clear the tool played a role in automating portions of their acti…”
T1080Taint Shared Content
71%
“process creation ) and event id 3 ( network connections ) events. on day eight of the intrusion the threat actor was observed connecting to multiple domain controllers and hypervisor servers via rdp using the domain admin account to perform further discovery activities. on day ni…”
T1486Data Encrypted for Impact
70%
“sessions directly from within netscan. approximately 24 hours later, on the ninth day of the intrusion, the threat actor returned for the final time. they initiated one last round of network scanning with netscan on the beachhead host before connecting via rdp to a backup server,…”
T1588.002Tool
70%
“group, logged users, os version, and uptime enabled. netscan also had default hotkeys enabled for remote desktop and computer management, mapped to ctrl + r and ctrl + m. the netscan license file ( netscan. lic ) shows that netscan was used with a paid license, removing the heavy…”
T1021.001Remote Desktop Protocol
70%
“cat ’ s got your files : lynx ransomware cat ’ s got your files : lynx ransomware key takeaways - the intrusion began with a successful rdp login using already - compromised credentials, likely obtained via an infostealer, data breach reuse, or an initial access broker. - within …”
T1003OS Credential Dumping
69%
“a logon type 7 ( unlock ) was seen in security event id 4624 logs, indicating an existing rdp session was unlocked. on day two of the intrusion, the threat actor was observed logging into several hypervisors using the “ lookalike 1 ” domain administrator account and the “ adminis…”
T1136.001Local Account
68%
“binaries ( lolbins ), largely for discovery purposes. softperfect netscan was used extensively during the intrusion. while the configuration deployed by the threat actor is detailed in the discovery section, it ’ s clear the tool played a role in automating portions of their acti…”
T1041Exfiltration Over C2 Channel
66%
“for malicious cyber activities. later in the intrusion, the threat actor switched to a second ip address ( also hosted on railnet llc infrastructure ) to access the network. the same hostname desktop - bul6k1u was used. virtualine has been observed advertising its bulletproof hos…”
T1021.001Remote Desktop Protocol
63%
“process creation ) and event id 3 ( network connections ) events. on day eight of the intrusion the threat actor was observed connecting to multiple domain controllers and hypervisor servers via rdp using the domain admin account to perform further discovery activities. on day ni…”
T1003OS Credential Dumping
61%
“, they collect or buy credentials and then resell them to others who want to get into networks without doing the initial legwork. - info stealer malware : this type of malware is designed to quietly grab saved credentials, browser cookies, and other sensitive data from infected m…”
T1021.002SMB/Windows Admin Shares
60%
“of netscan when it ’ s set to check for write access on network shares. in this case, netscan was run with domain administrator privileges, so all discovered shares were writable. as a result, netscan was able to create and delete the delete [. ] me file on each discovered share.…”
T1486Data Encrypted for Impact
57%
“process creation ) and event id 3 ( network connections ) events. on day eight of the intrusion the threat actor was observed connecting to multiple domain controllers and hypervisor servers via rdp using the domain admin account to perform further discovery activities. on day ni…”
T1080Taint Shared Content
55%
“archives created by the threat actor, confirming that the multiple archives were exfiltrated individually. impact ransomware deployment on the ninth day of the intrusion, the threat actor moved laterally to several backup servers and file servers via rdp from the beachhead. on th…”
T1021.001Remote Desktop Protocol
54%
“- v infrastructure, as we observed rdp connections from the beachhead host to three hypervisors. on all three servers, the threat actor launched virtmgmt. msc ( the hyper - v management console ) and also ran systeminfo and regedit. the threat actor was also observed issuing ping…”
T1136.001Local Account
53%
“. once on the domain controller, the threat actor used active directory users and computers ( dsa. msc ) to create two new accounts : one named “ administratr ” and another designed to mimic an existing domain account, altered by a single character to blend in. both accounts were…”
T1560.001Archive via Utility
51%
“cat ’ s got your files : lynx ransomware cat ’ s got your files : lynx ransomware key takeaways - the intrusion began with a successful rdp login using already - compromised credentials, likely obtained via an infostealer, data breach reuse, or an initial access broker. - within …”
T1566.004Spearphishing Voice
50%
“obtained prior to the intrusion. the threat actor was also observed using credentials for a second account with domain administrator privileges to pivot from the beachhead host without performing any credential access activities, indicating these credentials were also obtained pr…”
T1136.001Local Account
48%
“. to ensure persistence, the threat actor set the accounts ’ passwords to never expire with the user _ dont _ expire _ password attribute. furthermore, as detailed in the privilege escalation section, the threat actor assigned high privileges to the newly created accounts. first,…”
T1003OS Credential Dumping
48%
“private dfir reports annually. - threat feed : focuses on tracking command and control frameworks like cobalt strike, metasploit, sliver, etc. - all intel : includes everything from private threat briefs and threat feed, plus private events, threat actor insights reports, long - …”
T1190Exploit Public-Facing Application
48%
“model indicators atomic rdp initial access : 195. 211. 190. 189 rdp follow up activity : 77. 90. 153. 30 computed file : netscan. exe 3073af95dfc18361caebccd69d0021a2 efe8b9ff7ff93780c9162959a4c1e5ecf6e840a4 517288e12c05a92e483e6d80b9136c19bc58c46851720680bb6d1b7016034c37 file : …”
T1048Exfiltration Over Alternative Protocol
48%
“for malicious cyber activities. later in the intrusion, the threat actor switched to a second ip address ( also hosted on railnet llc infrastructure ) to access the network. the same hostname desktop - bul6k1u was used. virtualine has been observed advertising its bulletproof hos…”
T1003OS Credential Dumping
48%
“cat ’ s got your files : lynx ransomware cat ’ s got your files : lynx ransomware key takeaways - the intrusion began with a successful rdp login using already - compromised credentials, likely obtained via an infostealer, data breach reuse, or an initial access broker. - within …”
T1560.001Archive via Utility
47%
“actor compressed the contents into archives and exfiltrated them to the temporary file - sharing service temp [. ] sh. this activity marked the end of their operations for the day. around nine hours after the exfiltration activity, the threat actor returned via rdp from a new sou…”
T1133External Remote Services
47%
“for example, new gpos. afterward, the threat actor added “ lookalike 2 ” to a high - privilege group specific to the domain in question. lastly, the threat actor connected to multiple hypervisor servers using these newly created accounts with high privileges. we assess this was l…”
T1078.002Domain Accounts
46%
“of netscan when it ’ s set to check for write access on network shares. in this case, netscan was run with domain administrator privileges, so all discovered shares were writable. as a result, netscan was able to create and delete the delete [. ] me file on each discovered share.…”
T1219Remote Access Tools
46%
“process creation ) and event id 3 ( network connections ) events. on day eight of the intrusion the threat actor was observed connecting to multiple domain controllers and hypervisor servers via rdp using the domain admin account to perform further discovery activities. on day ni…”
T1497.001System Checks
46%
“msc " this launched the microsoft management console with the active directory users & computers snap ‑ in ( dsa. msc ), allowing them to browse and manipulate ad objects. after establishing persistence on the domain controller ( detailed in the persistence section ), the threat …”
T1098Account Manipulation
46%
“. to ensure persistence, the threat actor set the accounts ’ passwords to never expire with the user _ dont _ expire _ password attribute. furthermore, as detailed in the privilege escalation section, the threat actor assigned high privileges to the newly created accounts. first,…”
T1486Data Encrypted for Impact
46%
“##04b19ac4c74 : uncommon outbound kerberos connection a24e5861 - c6ca - 4fde - a93c - ba9256feddf0 : uncommon process access rights for target image c265cf08 - 3f99 - 46c1 - 8d59 - 328247057d57 : user added to local administrator group 94309181 - d345 - 4cbf - b5fe - 061769bdf9cb…”
T1560.001Archive via Utility
44%
“process creation ) and event id 3 ( network connections ) events. on day eight of the intrusion the threat actor was observed connecting to multiple domain controllers and hypervisor servers via rdp using the domain admin account to perform further discovery activities. on day ni…”
T1078.002Domain Accounts
42%
“other failed authentication attempts from the source ip, indicating the threat actor likely possessed valid credentials before the activity occurred. although the original source of the credentials could not be determined, they are commonly acquired through credential - stealing …”
T1078Valid Accounts
42%
“these actions can be observed in browser history events, as well as in process events for microsoft edge, with netscan. exe as the parent process. the threat actor used the open ‘ as web ( http ) ’ shortcut within the netscan gui to view the appliances ’ web portals in the browse…”
T1021.001Remote Desktop Protocol
41%
“the threat actor saved the resulting archives in the desktop folder of the compromised user. command and control as detailed in the persistence section, anydesk was installed as a service on the domain controller ; however, no further anydesk traffic or activity was observed duri…”
T1110.001Password Guessing
40%
“! audit _ mode = reveal _ chars _ of _ pwd = 0 log _ mode = false ignore _ opsec = true host _ info _ colors = [ " green ", " red ", " yellow ", " cyan " ] [ bloodhound ] bh _ enabled = false bh _ uri = 127. 0. 0. 1 bh _ port = 7687 bh _ user = neo4j bh _ pass = bloodhoundcommuni…”
T1003OS Credential Dumping
37%
“sessions directly from within netscan. approximately 24 hours later, on the ninth day of the intrusion, the threat actor returned for the final time. they initiated one last round of network scanning with netscan on the beachhead host before connecting via rdp to a backup server,…”
T1673Virtual Machine Discovery
34%
“- v infrastructure, as we observed rdp connections from the beachhead host to three hypervisors. on all three servers, the threat actor launched virtmgmt. msc ( the hyper - v management console ) and also ran systeminfo and regedit. the threat actor was also observed issuing ping…”
T1564.006Run Virtual Instance
34%
“archives created by the threat actor, confirming that the multiple archives were exfiltrated individually. impact ransomware deployment on the ninth day of the intrusion, the threat actor moved laterally to several backup servers and file servers via rdp from the beachhead. on th…”
T1563.002RDP Hijacking
34%
“- v infrastructure, as we observed rdp connections from the beachhead host to three hypervisors. on all three servers, the threat actor launched virtmgmt. msc ( the hyper - v management console ) and also ran systeminfo and regedit. the threat actor was also observed issuing ping…”
T1048Exfiltration Over Alternative Protocol
32%
“actor compressed the contents into archives and exfiltrated them to the temporary file - sharing service temp [. ] sh. this activity marked the end of their operations for the day. around nine hours after the exfiltration activity, the threat actor returned via rdp from a new sou…”
T1018Remote System Discovery
31%
“and hosts were successfully enumerated using the domain admin credentials during scanning. after each execution of netexec, multiple scripts were dropped into the temp directory, which can be used as part of the module functionality built into netexec. however, no modules were us…”
T1078Valid Accounts
31%
“private dfir reports annually. - threat feed : focuses on tracking command and control frameworks like cobalt strike, metasploit, sliver, etc. - all intel : includes everything from private threat briefs and threat feed, plus private events, threat actor insights reports, long - …”
T1078Valid Accounts
30%
“and hosts were successfully enumerated using the domain admin credentials during scanning. after each execution of netexec, multiple scripts were dropped into the temp directory, which can be used as part of the module functionality built into netexec. however, no modules were us…”

Summary

Key Takeaways The DFIR Report Services Contact us today for pricing or a demo! The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system. Notably, there was no evidence of credential stuffing, brute forcing, or other failed authentication attempts from the source IP, indicating the […]

The post Cat’s Got Your Files: Lynx Ransomware appeared first on The DFIR Report.