Threat Research

Cat’s Got Your Files: Lynx Ransomware – The DFIR Report

TheDFIR

The intrusion began with a valid RDP login using pre-compromised credentials and progressed through rapid discovery, lateral movement, and persistent account creation before data exfiltration and a final ransomware deployment. The actor exfiltrated archives to temp.sh and deployed Lynx ransomware, leveraging infrastructure tied to Railnet LLC/Virtualine. #Lynx #RailnetLLC

Keypoints

  • Initial access was via a single successful RDP logon from 195.211.190[.]189 using valid credentials with no brute force evidence, indicating credential reuse or purchase.
  • Within minutes the actor moved laterally to a domain controller with a separate compromised domain admin account, created multiple look-alike privileged accounts, and set passwords to never expire.
  • SoftPerfect NetScan and NetExec were used for automated network/service discovery and to identify writable shares and virtualization infrastructure.
  • Sensitive files were collected, compressed with 7‑Zip, and exfiltrated via the temporary file-sharing service temp.sh.
  • The actor connected to backup servers, deleted backup jobs in Veeam, and deployed Lynx ransomware (w.exe) across backup and file servers via RDP.
  • The full intrusion spanned nine days with a Time to Ransomware (TTR) of approximately 178 hours and command-and-control activity originating from IPs hosted by Railnet LLC/Virtualine.

MITRE Techniques

  • [T1098.007 ] Additional Local or Domain Groups – Created and added look-alike accounts to high-privilege groups to persist and blend in (‘created two new accounts: one named “administratr” and another designed to mimic an existing domain account… Both accounts were promptly added to privileged security groups, including Domain Administrators.’).
  • [T1560.001 ] Archive via Utility – Used 7‑Zip to compress collected files before exfiltration (‘the threat actor leveraged 7-Zip to create zip archives of the contents of the two file servers.’).
  • [T1486 ] Data Encrypted for Impact – Deployed Lynx ransomware to encrypt data on backup and file servers (‘deployed and executed Lynx ransomware on the backup server… repeated this ransomware deployment across multiple additional backup and file servers’).
  • [T1136.002 ] Domain Account – Created and used domain accounts for persistence and access to domain resources (‘used Active Directory Users and Computers (dsa.msc) to create two new accounts… Both accounts were promptly added to privileged security groups, including Domain Administrators.’).
  • [T1567 ] Exfiltration Over Web Service – Exfiltrated archives to a temporary web file-sharing service (‘the threat actor browsed to the temporary file sharing site temp.sh… used the upload feature to exfiltrate the previously archived files.’).
  • [T1133 ] External Remote Services – Accessed the environment via external remote services and infrastructure hosted by Railnet/Virtualine (‘logon originated from IP address 195.211.190[.]189… hosted on infrastructure from Railnet LLC which is used as a legal front for… Virtualine.’).
  • [T1490 ] Inhibit System Recovery – Deleted backup jobs and removed backups from Veeam to prevent recovery (‘the threat actor connected to a backup server, where they proceeded to delete existing backup jobs’ and ‘removed backups from the configuration database’).
  • [T1087.001 ] Local Account – Created local-style look-alike accounts and set non-expiring passwords for persistence (‘the threat actor used… to create three users for persistence… set the accounts’ passwords to never expire with the USER_DONT_EXPIRE_PASSWORD attribute.’).
  • [T1046 ] Network Service Discovery – Performed network and port scanning to enumerate hosts and services using NetScan and NetExec (‘ran SoftPerfect Network Scanner (netscan) … port scanning was observed in Sysmon EID 3 network connections events’).
  • [T1135 ] Network Share Discovery – Enumerated writable network shares and verified write access using NetScan (‘Enabled share scanning with checks for security info, share writing and diskspace’ and NetScan created delete[.]me files on discovered shares).’
  • [T1059.001 ] PowerShell – Used PowerShell for command execution and discovery during hands-on activity (‘used Windows Command Shell (cmd.exe) and PowerShell to execute commands on compromised hosts during hands-on-keyboard activity’).
  • [T1012 ] Query Registry – Queried the registry to identify Hyper-V hostnames and other configuration (‘reg query HKEY_LOCAL_MACHINESOFTWAREMicrosoftVirtual MachineGuestParameters’).
  • [T1219 ] Remote Access Software – Installed AnyDesk on the domain controller to establish remote access persistence (‘installed the AnyDesk remote access client on the domain controller.’).
  • [T1021.001 ] Remote Desktop Protocol – Used RDP extensively for initial access, lateral movement, and execution (‘a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system’ and activity was performed via RDP sessions).’
  • [T1018 ] Remote System Discovery – Used RDP sessions and tools to discover remote systems and hypervisors (‘connected to several additional domain controllers and hypervisor systems via RDP… launched virtmgmt.msc (the Hyper-V management console)’).
  • [T1082 ] System Information Discovery – Collected system information via systeminfo and Task Manager to profile hosts (‘ran Task Manager to view running processes and system information’ and executed systeminfo).’
  • [T1016 ] System Network Configuration Discovery – Queried network configuration via ipconfig and route print to map network topology (‘spawned cmd.exe and performed hands-on-keyboard network and system discovery commands’ including ipconfig and route print).’
  • [T1078 ] Valid Accounts – Logged in using pre-compromised valid credentials for both standard and privileged accounts (‘there was no indication of credential stuffing, brute forcing… indicating the threat actor likely possessed valid credentials before the activity occurred.’).
  • [T1059.003 ] Windows Command Shell – Executed commands and launched tools using cmd.exe for discovery and ransomware execution (‘used Windows Command Shell (cmd.exe) … and executed “w.exe” on each server using cmd’).
  • [T1543.003 ] Windows Service – Installed AnyDesk as a service on the domain controller to persist remote access (‘AnyDesk was installed as a service on the domain controller; however, no further AnyDesk traffic or activity was observed during the intrusion.’).

Indicators of Compromise

  • [IP Address ] RDP and remote access sources – 195.211.190[.]189 (initial RDP access), 77.90.153[.]30 (follow-up RDP activity).
  • [Domain / Service ] Exfiltration endpoint – temp.sh (used to upload and exfiltrate archived data).
  • [File Hash ] Tool and malware hashes – netscan.exe (3073af95…c37), nxc.exe (7532ff90…7338), and w.exe (e2179046…7264a) (Lynx sample and tools; three hashes provided).
  • [File Name ] Suspicious binaries and artifacts – netscan.exe, nxc.exe, w.exe (Lynx), delete.me (NetScan write-check artifact), and ss.xml (NetScan export placeholder).
  • [Hostname ] Remote host identifier – DESKTOP-BUL6K1U (observed in RDP logon workstation name field).
  • [Account Names ] Created/persistent accounts – “administratr”, “Lookalike 1”, “Lookalike 2” (accounts created and added to privileged groups).

Read more: https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/