The Reveal Platform
Intel Name: Cat’s got your files: lynx ransomware
Date of Scan: November 18, 2025
Impact: High
Summary: The Lynx ransomware intrusion began with an RDP login using stolen credentials, quickly followed by lateral movement to a domain controller using a compromised admin account. The attacker created multiple impersonation-style privileged accounts, mapped virtualization systems and file shares, and gathered sensitive data before exfiltrating it via temp.sh. They then accessed backup servers, deleted backup jobs, and finally deployed Lynx ransomware across backup and file servers using RDP. The full attack—from initial access to ransomware deployment—spanned about 178 hours over nine days.
