Lynx ransomware, a potent threat to enterprise environments, has been observed employing sophisticated attack strategies that prioritize data exfiltration and infrastructure destruction. Recent intrusions highlight threat actors leveraging compromised Remote Desktop Protocol (RDP) logins to deploy Lynx ransomware, systematically deleting server backups before encryption. This evolving threat continues to be closely monitored by security researchers as attackers refine their techniques and expand their targeting scope across various industries.
The attack chain begins with threat actors gaining initial access through compromised RDP credentials, likely obtained from infostealer malware, data breaches, or initial access brokers. A significant characteristic of this campaign is the prolonged preparation phase before ransomware deployment. Instead of immediately encrypting systems, attackers spend several days conducting reconnaissance, mapping network infrastructure, and establishing persistent backdoors. This methodical approach enhances their chances of success by identifying high-value targets and securing escape routes before triggering detection alarms.
According to analysis by The DFIR Report, the intrusion commenced in early March 2025 when an unidentified threat actor gained access to an internet-facing RDP endpoint using valid credentials. Importantly, there was no indication of credential stuffing or brute force attempts preceding this access, suggesting the attackers possessed legitimate account credentials from the outset. Within minutes of gaining initial access, the threat actor initiated system reconnaissance using command prompt utilities and deployed SoftPerfect Network Scanner for enumerating the broader network. The attack escalated rapidly, with the threat actor moving laterally to the domain controller in just ten minutes by utilizing a separate compromised administrator account.
Once positioned on the domain controller, the attacker proceeded to create multiple fake accounts designed to impersonate legitimate users, such as “administratr.” These accounts were added to privileged groups, including Domain Administrators. To ensure continued access even if their initial credentials were compromised, the attackers also installed AnyDesk remote access software to establish persistence.
Understanding Backup Destruction as an Attack Vector
A particularly alarming aspect of this Lynx ransomware campaign is the deliberate destruction of backup infrastructure prior to malware deployment. After approximately six days of dormancy, the threat actor resumed operations by conducting password spray attacks using NetExec. They systematically collected sensitive data from network shares, compressing these files using 7-Zip before exfiltrating the archives via temp.sh, a temporary file-sharing service. This data collection phase served as a precursor to double extortion, enabling attackers to threaten victims with data publication if ransoms went unpaid.
The critical final phase involved the threat actor connecting directly to backup servers and systematically deleting backup jobs. By eliminating recovery points before deploying Lynx ransomware, the attackers effectively removed the victims’ ability to restore encrypted files through alternative means. This strategy significantly amplifies the extortion capabilities of the ransomware, as organizations are unable to recover their data from backups.
The comprehensive attack timeline, from initial compromise to ransomware deployment, spanned approximately 178 hours, or nine days. This extended period allowed the attackers to meticulously stage their operation and maximize organizational disruption when Lynx eventually encrypted critical systems across multiple backup and file servers. The deployment of Lynx ransomware, following the elimination of backups, presents a formidable challenge for incident response and business continuity efforts, underscoring the need for robust, offline backup strategies and stringent access controls.
Moving forward, organizations should prioritize hardening RDP access, implementing multi-factor authentication across all critical systems, and regularly reviewing and testing their data backup and recovery procedures. The continuing evolution of ransomware tactics, such as the deliberate destruction of backups, necessitates a proactive and layered security approach to mitigate the increasing risks posed by advanced threat actors.