Cat’s Got Your Files: Lynx Ransomware - The DFIR Report
Lynx ransomware campaign exploits internet-exposed RDP with valid credentials starting March 2025.
Summary
The DFIR Report documents a Lynx ransomware intrusion that began in early March 2025 via a successful RDP logon to an exposed system using valid credentials, with no evidence of brute-force or credential stuffing attacks. The incident analysis provides detailed forensic findings and detection guidance for defenders responding to similar compromises. The report emphasizes the continued risk posed by internet-exposed RDP endpoints and credential-based lateral movement.
Full text
Access DFIR Labs Book a Demo The DFIR Report provides in-depth, real-world intelligence based on observed intrusions, enabling security analysts and teams to strengthen defenses, enhance detection, and accelerate response. LinkedinX Products Threat Intel DFIR Labs Case Artifacts Threat Feed Detection Pack Active Defense Services Training Professional Services Public Reports Company About us Analysts Careers Contact Us
Indicators of Compromise
- malware — Lynx