Skip to content
Redteam Relay IT, Cybersecurity & Red Team
Updated 10/11/2025

Fending off the Lynx Group Ransomware

A short write-up of how we mitigated an attack for a client

I woke up Thursday morning of last week to a text message seeing that one of our clients have been the target of a ransomware attack. For those unaware, this means that a company’s files have been locked and hackers want money, usually cryptocurrency for decrypting your files.

So, I got up as fast as I could and headed for the clients office. Once there, I discovered my manager had someone on the first shift come in and disconnect the server from the main network.

After the infected servers were isolated on their own network without internet, they were shut down and restarted. We manually went through all the services that looked suspicious and shut them down one by one. In doing so, we were able to stop the encryption about 25% of the way through the company data.

The second blessing was that in catching this early enough on, we were able to save the shadow copies that the malware didn’t reach yet - effectively saving every users profile, personal work data, and the remaining 25% of the data that needed to be restored for the entire company.

Lastly, stopping the attack early on prevented the files from being siphoned from the network and released to the public. Local backups had already been encrypted though, again shadow copies had not been touched fortunately.

The VMs (virtual machines) and the QuickBooks files the company runs on had been fully encrypted. As for the VMs, we isolated the XenServer as well and deleted the infected VMs off it, and restored it with an off-site backup. The backup had been from about a few hours before the attack, so we were able to restore network services properly back to the whole company. We had a copy of the QuickBooks from the end of the day previously, so nothing was lost there.

At the end of 5 days of isolating servers, ensuring data integrity, and rebuilding a few systems, I can confidently say we were able to restore our client to 100%, not paying the Lynx group a dollar for the decryption key or data release.

Off-site backups and a fast reaction time here were our teams saving grace. Thanks for reading!

Related

Abe Tinoco

Announcing Redteam Relay News

After building Redteam Relay as my practitioner’s notebook, I’m extending it to deliver a focused news feed. The core mission doesn’t change: short, practical writing on hacking, defensive strategy and operational security. This site blends offensive perspective with defensive execution to help you move quickly. Making timely news part of that was the logical next step.

Abe Tinoco

Threat Brief: Qantas Leak and Oracle Zero‑Day

This week’s brief focuses on two major events: a data leak impacting Qantas and dozens of other companies, and a zero‑day vulnerability exploited in Oracle’s E‑Business Suite

Comments will appear here when deployed.