Inside the Lynx Ransomware Attack: How Hackers Turned RDP Access into a 9-Day Corporate Nightmare

Listen to this Post

Featured Image
Cybersecurity experts are increasingly warning organizations about the quiet but devastating impact of modern ransomware attacks. One recent incident in early March 2025 demonstrates just how sophisticated and patient attackers have become. Using pre-compromised credentials, threat actors infiltrated an internet-exposed Windows server and escalated their privileges across the network, ultimately deploying the destructive Lynx ransomware. The operation, spanning nine days from first access to full encryption, highlights the strategic planning, tool misuse, and deep understanding of Active Directory that cybercriminals now employ.

The Initial Breach and RDP Exploitation

Attackers first accessed the target environment by exploiting valid Remote Desktop Protocol (RDP) credentials, carefully avoiding any brute-force attempts or password spraying. This strongly suggests that the credentials were previously stolen via infostealer malware, obtained from prior breaches, or purchased from an initial access broker. Within just ten minutes of login, the attacker pivoted to the domain controller using a separate compromised domain administrator account. Notably, no local privilege escalation or credential dumping occurred, signaling a low-noise, methodical approach.

Creation of Shadow Accounts

Once on the domain controller, the threat actor used the Active Directory Users and Computers console to create three impersonation-style accounts, including one named “administratr” and two additional accounts differing by just a single character from legitimate users. These accounts were added to privileged groups such as Domain Admins, and their passwords were set to never expire, ensuring persistent access. The attacker also installed AnyDesk as a service, providing an alternative remote channel, though most activity continued via native RDP sessions.

Mapping the Network and Gathering Data

From the initial foothold, the attacker deployed SoftPerfect Network Scanner to enumerate the internal IP range, map network shares, identify operating systems, and confirm write access across devices. Temporary “delete.me” files were created to test access. Additional tools like NetExec were used for SMB enumeration and password testing. Over several days, the attacker repeatedly reconnected—sometimes via different IPs associated with Russian bulletproof hosting—to map infrastructure including domain controllers, Hyper-V hosts, firewalls, and VPN appliances.

Exfiltration of Sensitive Information

By day six, attackers had begun collecting sensitive folders from file servers. Using 7-Zip, data was compressed into archives stored on user desktops and exfiltrated via a temporary file-sharing site. Browser history and network traffic logs confirmed the volume and timing of these transfers. This step marked the systematic extraction of valuable data prior to ransomware deployment.

Backup Sabotage and Ransomware Deployment

On day nine, attackers targeted backup infrastructure, accessing Veeam Backup & Replication consoles to delete backup jobs and stored copies, crippling recovery options. They then deployed the Lynx ransomware payload across desktops and some server directories, executing encryption in a way that only affected portions of each file. A ransom note was finally dropped on impacted systems. The intrusion spanned 178 hours from initial access to ransomware execution, illustrating a slow, deliberate, and highly effective attack methodology.

What Undercode Say: Strategic Lessons and Analytical Insights

The Lynx ransomware incident underscores the evolution of ransomware operations into highly surgical campaigns rather than noisy, opportunistic attacks. Several key patterns emerge that are crucial for organizations to understand:

Credential Exploitation as the Primary Vector: Attackers relied on pre-compromised credentials, bypassing brute-force detection entirely. This highlights the critical need for proactive credential hygiene, multi-factor authentication, and monitoring of stolen credentials.

Low-Noise Privilege Escalation: By avoiding credential dumping or overt escalation tools, attackers stayed below detection thresholds. Security teams often focus on detecting high-volume suspicious events, leaving silent, slow-moving campaigns under the radar.

AD Account Impersonation and Persistence: The use of lookalike accounts with minor character differences exploits human and automated detection weaknesses. Configuring alerts for unusual account creation and non-expiring passwords could mitigate this risk.

Dual-Use Tools and Network Reconnaissance: SoftPerfect NetScan and NetExec are legitimate tools repurposed for malicious reconnaissance. Organizations must track unusual internal use of administration tools, especially when paired with RDP access from unusual sources.

Data Exfiltration Strategy: Using temporary file-sharing websites allowed attackers to move large data sets without triggering traditional DLP systems. Modern monitoring should include unusual outbound HTTP POST requests and file transfer patterns.

Backup Deletion Before Encryption: Disabling backup recovery before launching ransomware is becoming a hallmark of advanced attacks. Immutable backups and air-gapped storage are vital to limit ransomware impact.

Time-Extended Operations: The nine-day dwell period illustrates attackers’ patience. Endpoint detection systems need to flag recurring but low-volume activity, especially RDP logins from geographically or networkwise unusual sources.

In essence, the Lynx operation exemplifies a blend of traditional reconnaissance, strategic credential abuse, and ransomware deployment designed to maximize impact while minimizing detection. It is no longer enough to simply secure endpoints; organizations must adopt a layered, proactive defense strategy that includes identity monitoring, network segmentation, and behavioral analytics to detect subtle signs of intrusion.

🔍 Fact Checker Results

✅ Attackers used pre-compromised credentials rather than brute-force methods.

✅ The ransomware operation included deliberate backup deletion to prevent recovery.
✅ Exfiltration involved compressing data with 7-Zip and transferring via temporary file-sharing sites.

📊 Prediction: The Future of Ransomware Operations

Expect ransomware campaigns to become increasingly slow and stealthy, focusing on identity exploitation, low-noise lateral movement, and selective data targeting. Organizations may face multi-day, carefully staged attacks that leave minimal forensic footprints. Security investments will likely shift toward continuous identity monitoring, zero-trust network architecture, and automated anomaly detection to counter these patient and sophisticated adversaries. 🛡️💻

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon