Cat’s Got Your Files: Lynx Ransomware

This DFIR report documents a nine-day intrusion that began with a single RDP logon using pre-compromised credentials, rapid lateral movement to domain controllers using additional compromised domain admin accounts, creation of look-alike privileged accounts for persistence, extensive discovery with SoftPerfect NetScan and NetExec, collection and exfiltration of sensitive share data to temp.sh, deletion of Veeam backup jobs, and final deployment of Lynx ransomware across backup and file servers (Time to Ransomware ≈ 178 hours); the report includes forensic artifacts, file hashes, source IPs (195.211.190.189, 77.90.153.30), detection rules, and recommended detections mapped to MITRE ATT&CK.