The Lynx ransomware campaign is a sophisticated multi-stage intrusion characterized by initial access through Remote Desktop Protocol (RDP) using compromised credentials, which are likely obtained via infostealers, data breaches, or purchased from initial access brokers. Upon gaining entry, the attacker rapidly escalates privileges and moves laterally within the network, targeting domain controllers to create multiple impersonation accounts with elevated privileges. Persistence is maintained through the installation of AnyDesk, a legitimate remote access tool, allowing continued access even if initial vectors are closed. Over a nine-day period, the adversary performs extensive network reconnaissance using tools such as SoftPerfect NetScan and NetExec to map the network topology and virtualization infrastructure, as well as to identify valuable file shares. Sensitive data is exfiltrated using the temp.sh service, indicating a focus on data theft alongside ransomware deployment. On the final day, the attacker targets backup servers, deleting backup jobs to prevent recovery, before deploying the Lynx ransomware payload across multiple servers, encrypting critical data and disrupting operations. The entire intrusion spans approximately 178 hours, with continuous use of compromised domain admin credentials, highlighting the threat actor’s deep access and control. The campaign leverages multiple MITRE ATT&CK techniques including credential dumping, lateral movement, network reconnaissance, data exfiltration, and backup deletion, culminating in ransomware deployment. Indicators of compromise include specific hashes, IP addresses, and suspicious domains. No known public exploits are reported, but the attack relies heavily on credential compromise and abuse of legitimate tools, making detection challenging. The campaign underscores the importance of securing RDP access, monitoring privileged account activity, and protecting backup infrastructure.

For European organizations, the Lynx ransomware campaign presents a severe threat to confidentiality, integrity, and availability of critical systems and data. The use of compromised domain admin credentials and lateral movement to domain controllers can lead to widespread network compromise, affecting multiple business units and critical infrastructure. Data exfiltration risks regulatory non-compliance under GDPR due to potential exposure of personal and sensitive data, leading to legal and financial penalties. Deletion of backup jobs severely impairs recovery capabilities, increasing downtime and operational disruption. Sectors with high reliance on virtualization and networked file shares, such as finance, healthcare, manufacturing, and government, face heightened risks. The persistence via AnyDesk and use of legitimate tools complicate detection and response, potentially allowing prolonged undetected access. The campaign’s multi-day duration and extensive reconnaissance indicate a targeted approach, which could impact large enterprises and critical infrastructure providers in Europe, causing significant financial losses, reputational damage, and operational paralysis.

1. Enforce strict multi-factor authentication (MFA) for all RDP and remote access services to prevent unauthorized access via compromised credentials. 2. Implement network segmentation to isolate domain controllers, backup servers, and critical infrastructure from general user networks, limiting lateral movement opportunities. 3. Harden backup infrastructure by restricting access, enabling immutable backups where possible, and regularly testing backup restoration processes. 4. Monitor for anomalous account creation, especially high-privilege impersonation accounts, and unusual use of remote access tools like AnyDesk. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting reconnaissance tools such as SoftPerfect NetScan and NetExec, as well as suspicious PowerShell or command-line activity. 6. Conduct regular credential audits and enforce least privilege principles to reduce the impact of credential compromise. 7. Establish robust logging and alerting for RDP logins, administrative actions, and backup job modifications. 8. Educate staff on phishing and credential theft risks to reduce initial compromise likelihood. 9. Utilize threat intelligence feeds to detect and block known indicators of compromise associated with Lynx ransomware. 10. Prepare and regularly update incident response plans specifically addressing ransomware and backup sabotage scenarios.