Threat Actors Leveraging Compromised RDP Logins to Deploy Lynx Ransomware After Deleting Server Backups

Lynx ransomware has emerged as a significant threat to enterprise environments, with recent intrusions demonstrating sophisticated attack strategies that prioritize data exfiltration and infrastructure destruction.

The malware campaign combines compromised credentials with careful planning to ensure maximum impact on target networks.

Security researchers continue to monitor this evolving threat as attackers refine their techniques and expand their targeting scope across various industries.

The attack chain reveals a methodical approach where threat actors gain initial access through compromised Remote Desktop Protocol credentials, likely sourced from infostealer malware, data breaches, or initial access brokers.

What distinguishes this campaign is the extended preparation phase before ransomware deployment. Attackers spend days conducting reconnaissance, mapping network infrastructure, and establishing persistent backdoors rather than rushing to encrypt systems immediately.

This calculated approach significantly increases their chances of success by identifying high-value targets and securing escape routes before triggering detection alarms.

The DFIR Report security analysts identified that the intrusion began in early March 2025 when an unknown threat actor successfully logged into an internet-facing RDP endpoint using valid credentials.

Notably, no evidence of credential stuffing or brute force attempts preceded this access, indicating the attackers possessed legitimate account credentials from the start.

Within minutes of initial access, the threat actor began conducting system reconnaissance using command prompt utilities and deployed SoftPerfect Network Scanner for wider network enumeration.

The attack evolved rapidly as the threat actor moved laterally to the domain controller within just ten minutes using a separate compromised administrator account.

Once positioned on the domain controller, the attacker created multiple fake accounts designed to mimic legitimate users, such as administratr, adding them to privileged groups including Domain Administrators.

The attackers also installed AnyDesk remote access software to establish persistence, ensuring continued access even if their original credentials were discovered.

Understanding Backup Destruction as an Attack Vector

A particularly concerning aspect of this Lynx ransomware campaign is the deliberate destruction of backup infrastructure before deploying the malware. After six days of dormancy, the threat actor returned and resumed operations by conducting password spray attacks using NetExec.

They systematically collected sensitive data from network shares, compressing these files using 7-Zip before exfiltrating the archives via temp.sh, a temporary file-sharing service.

This data collection phase served as a double extortion preparation method, allowing attackers to threaten victims with data publication if ransoms went unpaid.

The critical final phase involved connecting directly to backup servers and systematically deleting backup jobs. By removing backup recovery points before deploying Lynx ransomware, the attackers eliminated the victims’ ability to restore encrypted files through alternative means.

This strategy transforms the ransomware into a more effective extortion tool since organizations cannot simply restore from backups.

The overall time from initial compromise to ransomware deployment reached approximately 178 hours across nine days, allowing the attackers to carefully stage their attack and maximize organizational disruption when Lynx finally encrypted critical systems across multiple backup and file servers.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.