Lynx Ransomware

First Identified: 2024

Operation style:
Ransomware-as-a-Service (RaaS)

Extortion method:
Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most frequently targeted industry:

• Industrials (Construction & Engineering)

Most frequently targeted victim HQ region: United States, North America

Known Associations:

• INC Ransom Ransomware
• Water Lalawag

Lynx Ransomware was first identified in July 2024 when the group began posting purported victims on their data leak site, Lynx News. Similar to other ransomware operations, the group claimed via their data leak site that they are financially motivated and have a strict policy on targeting. The group claims that they avoid “socially important” organizations, such as government agencies, hospitals, and non-profit organizations.

Lynx Ransomware has been reported to be similar to the INC Ransom Ransomware. Security researchers with SK Shieldus reported that Lynx uses the same strings and encryption algorithms as the INC Ransom group and is similar in functional aspects, such as program execution flow. Additionally, BlackBerry researchers reported that Lynx and INC Ransom have used the same email address, gansbronz[at]gmail[.]com, in the registry information of the public data leak sites.

n May 2024, INC Ransom operators listed their source code for sale on a dark web forum for $300,000. There is an Even Chance that Lynx operators purchased the source code and created their own variant. Both Lynx and INC Ransom uses the DeviceIoControl function to control devices and delete backup copies. In the Lynx ransomware variant, the DeviceIoControl function only works when both the “–file” and “–dir” arguments are not used.

Lynx Ransomware reportedly attempts to change the privileges of files before encrypting them, which requires the operator to obtain administrative privileges. Lynx ransomware does not have a separate privilege escalation function.

When Lynx ransomware begins encryption, it uses the “medium” mode from the INC Ransom variant. The ransomware encrypts 1MB of every 6MB of the file; files smaller than 1MB are completely encrypted. This differs from INC Ransom, in that INC Ransom offers a “fast” and a “slow” mode of encryption as well.

Lynx ransomware has been assessed to gain initial access to victim environments via phishing emails with malicious attachments, which is a common tactic observed in ransomware attacks.