🧪 DFIR Labs | ALPHV Ransomware Case #24952
Walk through a real intrusion where IcedID was used to deploy ScreenConnect and a custom C# streamer, ultimately leading to an ALPHV (BlackCat) ransomware event.
This lab breaks down:
️ Remote access and persistence with ScreenConnect
️ Custom tooling used prior to ransomware deployment
️ Operator tradecraft observed along the way
Step through the investigation and analyze attacker behavior end-to-end.
https://dfirlabs.thedfirreport.com/auth/login
Detect attacker infrastructure early
Hunt for active footholds
️ Reduce false positives with continuously verified intel
Cat’s Got Your Files: Dive Into the Lynx Ransomware Incident!