Date: 11/18/2025
Severity: High
Summary
The Lynx ransomware intrusion began with an RDP login using stolen credentials, quickly followed by lateral movement to a domain controller using a compromised admin account. The attacker created multiple impersonation-style privileged accounts, mapped virtualization systems and file shares, and gathered sensitive data before exfiltrating it via temp.sh. They then accessed backup servers, deleted backup jobs, and finally deployed Lynx ransomware across backup and file servers using RDP. The full attack—from initial access to ransomware deployment—spanned about 178 hours over nine days.
Indicators of Compromise (IOC) List
IP Address | 195.211.190.189 77.90.153.30 |
Hash | 3073af95dfc18361caebccd69d0021a2
7532ff90145b8c59dc9440bf43dc87a5
e2179046b86deca297ebf7398b95e438
efe8b9ff7ff93780c9162959a4c1e5ecf6e840a4
2b4b11d3ecffd82ed44db652cdd65733224f8e34
3e01df0155a539fe6d802ee9e9226d8c77fd96c9
517288e12c05a92e483e6d80b9136c19bc58c46851720680bb6d1b7016034c37
6285d32a9491a0084da85a384a11e15e203badf67b1deed54155f02b7338b108
07b36c1660deb223749a8ac151676d8924bc13aa59e6712a3c14a2df5237264a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("77.90.153.30","195.211.190.189") or srcipaddress IN ("77.90.153.30","195.211.190.189") |
Detection Query 2 : | md5hash IN ("7532ff90145b8c59dc9440bf43dc87a5","3073af95dfc18361caebccd69d0021a2","e2179046b86deca297ebf7398b95e438")
|
Detection Query 3 : | sha1hash IN ("2b4b11d3ecffd82ed44db652cdd65733224f8e34","efe8b9ff7ff93780c9162959a4c1e5ecf6e840a4","3e01df0155a539fe6d802ee9e9226d8c77fd96c9")
|
Detection Query 4 : | sha256hash IN ("517288e12c05a92e483e6d80b9136c19bc58c46851720680bb6d1b7016034c37","6285d32a9491a0084da85a384a11e15e203badf67b1deed54155f02b7338b108","07b36c1660deb223749a8ac151676d8924bc13aa59e6712a3c14a2df5237264a")
|
Reference:
https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/