"The ransom note did not follow the normal LockBit format directing victims to a Tor leak site or TOX/Jabber communications; instead, it instructed them to download and use the Session private messaging application...
Report: thedfirreport.com/2026/02/23/a...
Day 9: Ransomware deployment.
The threat actor RDP’d from the beachhead to backup & file servers and dropped the Lynx payload “w.exe” using a compromised Domain Admin account.
Full breakdown 👇
thedfirreport.com/2025/12/17/c...
#DFIR #Ransomware #ThreatHunting #BlueTeam #CyberSecurity
RDP bitmap cache artifacts revealed the threat actor opening the Veeam Backup & Replication console, reviewing backup jobs, tape & storage infrastructure — and removing backups from the configuration database.
Full report 👇
thedfirreport.com/2025/12/17/c...
"The threat actor also ran the command netstat -t, which displays active connections; however, -t is not a documented option for netstat on Windows."
Report:https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
"On some hosts, Microsoft Defender antivirus was active. On these systems, Defender detected and blocked execution of the service creation and Powershell execution..."
Report:https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
This Diamond Model from our “Cat’s Got Your Files: Lynx Ransomware” report illustrates the four core elements of the intrusion.
See how all four vertices aligned for full-domain compromise 👇
thedfirreport.com/2025/12/17/c...
#DFIR #ThreatIntel #Ransomware #BlueTeam #CyberSecurity
We’re seeing a “Missing Font” ClickFix chain in the wild.
Flow:
1️⃣ Fake “Missing Font” prompt
2️⃣ Leads to a BSOD-style recovery screen
3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands
#infosec #DFIR #threatintel
Report: thedfirreport.com/2025/12/17/c...
Services: thedfirreport.com/services/
Contact Us for pricing or a demo: thedfirreport.com/contact/
