Lynx Ransomware was first identified in July 2024 when the group began posting purported victims on their data leak site, Lynx News. Similar to other ransomware operations, the group claimed via their data leak site that they are financially motivated and have a strict policy on targeting. The group claims that they avoid “socially important” organizations, such as government agencies, hospitals, and non-profit organizations.
The operation operates as a ransomware-as-a-service (RaaS) and a user, silencer, has been observed posting on the cybercriminal forum, RAMP, advertising the operation.
Rather than targeting a single architecture, the Lynx Ransomware variant offers affiliates a complete bundle. The bundle offers executables for Linux x64, Linux ARM, MIPS, ESXi, and more. This allows affiliates to pick whichever variant they need for specific parts of the victim’s network.
Security researchers with Group-IB reported to have gained access to the Lynx affiliate group and gained access to the group’s affiliate panel. The affiliate panel reported featured multiple sections, including “News”, “Chats”, “Companies”, “Stuffers”, and “Leaks”.
- News – serves as a central hub for updates and announcements.
- Chats – provides information about the chats created for negotiations.
- Companies – provides an interface for affiliates to manage victims.
- Stuffers – offers affiliates a streamlined interface to manage any sub-affiliates and team members.
- Leaks – allows affiliates to create and manage publications about companies they have targeted but who haven’t paid.
Lynx Ransomware has been reported to be similar to the INC Ransom Ransomware. Security researchers with SK Shieldus reported that Lynx uses the same strings and encryption algorithms as the INC Ransom group and is similar in functional aspects, such as program execution flow. Additionally, BlackBerry researchers reported that Lynx and INC Ransom have used the same email address, gansbronz[at]gmail[.]com, in the registry information of the public data leak sites.
In May 2024, INC Ransom operators listed their source code for sale on a dark web forum for $300,000. There is an Even Chance that Lynx operators purchased the source code and created their own variant. Both Lynx and INC Ransom use DeviceIoControl functions to control devices and delete backup copies.
Various security researchers have reported that the Windows variants have a 40% code similarity and a 70.8% similarity in specific functions, while the Linux variants have a 91% code similarity and a 87% overall overlap.
Lynx ransomware has been assessed to gain initial access to victim environments via phishing emails with malicious attachments and valid credentials to administrator accounts, which are common tactics observed in ransomware attacks.
Lynx utilizes scheduled tasks and registry keys for persistence on compromised environments. Similar to other ransomware operations, Lynx deletes backup shadow copies and terminates anti-virus tools.
The Lynx Ransomware has been reported to utilize RDP and SMB file share enumeration for lateral movement. Additionally, the group has been reported to use shared content to spread laterally to other devices within a network.
Lynx Ransomware utilizes Curve25519 Donna for key exchange and AES-128 for file encryption. Both of these encryption techniques are known for their strength and reliability. The ransomware then changes the desktop wallpaper and prints the ransom note on any identified connected printer.
