Cat’s Got Your Files: Lynx Ransomware

- A DFIR report documents a nine-day intrusion that began with successful RDP using valid credentials, escalated to domain controller access where look‑alike privileged accounts and AnyDesk were installed for persistence, used SoftPerfect NetScan and NetExec for discovery and lateral movement, exfiltrated compressed archives to temp.sh, deleted Veeam backups, and ultimately deployed Lynx ransomware across backup and file servers (Time to Ransomware ≈ 178 hours). The report provides IOCs (IPs, file hashes), command artifacts, TTP mappings to ATT&CK, and detection resources (Sigma/YARA) to support containment and hunting.