The Lynx ransomware group is one of the most notorious cybercrime collectives that surfaced in mid-2024. It is believed to be a rebranded version of the previously known INC ransomware group. Operating under a Ransomware-as-a-Service (RaaS) model, Lynx has introduced an even more advanced set of tools, encryption techniques, and operational strategies, making it a power player in the world of cybercrime.
Lynx ransomware first appeared in the cybersecurity community in July 2024, marking its entry as a successor to the INC ransomware group. While ransomware has been a persistent problem for years, Lynx stands out due to its strong encryption methods, refined affiliate program, and structured operations. It operates under the RaaS model, providing affiliate hackers with all the necessary tools to execute ransomware attacks. This approach ensures that those with little technical expertise in ransomware development can still engage in high-profile cyber extortion activities.
By operating as a RaaS, Lynx ransomware reduces the barrier to entry for cybercriminals, enabling individuals and groups with limited technical skills to launch damaging attacks against organizations. In return, Lynx affiliates receive up to 80% of the ransom proceeds, incentivizing recruitment and expanding the reach of the group’s activities. The group’s operations are also supported by a comprehensive platform, which provides binaries for Windows, Linux, and ESXi systems, with coverage for a variety of architectures, including ARM, MIPS, and PPC. This compatibility ensures that Lynx ransomware can infiltrate and impact a wide range of environments and organizations.
Operational Security and Targeted Sectors
Lynx ransomware’s operational security (OpSec) is impressive. The group’s infrastructure and operations are designed with a high level of secrecy and resilience. In August 2024, one of Lynx’s operators posted a recruitment advertisement on RAMP (a popular forum used by cybercriminals), specifically targeting experienced penetration testing teams. The recruitment notice outlined the group’s operating regions, stating that Lynx would avoid targeting countries in the Commonwealth of Independent States (CIS), Ukraine, China, Iran, and North Korea. Additionally, Lynx affiliates were instructed not to target healthcare institutions, government agencies, churches, or children’s charities, focusing on maximizing profit by targeting less protected industries.
This selective approach to targets suggests that the group is strategically calculating where it can cause the most disruption and generate the highest returns. By deliberately excluding certain regions and sectors, Lynx likely aims to maintain a level of plausible deniability and avoid drawing too much attention from law enforcement or international agencies.
The group is not limited to one sector; rather, it casts a wide net, affecting various industries and critical infrastructures across the globe. Industries such as aerospace and defense, automotive, energy and utilities, healthcare, and telecommunications are some of the primary targets. Governments and law enforcement agencies are also among the potential victims of Lynx’s campaigns.
Encryption and Post-Encryption Behavior
Like many modern ransomware variants, Lynx utilizes robust encryption methods to lock down its victims’ data. It employs Curve25519 Donna for key exchange and AES-128 for file encryption, two cryptographic techniques known for their strength and reliability. AES-128 is particularly effective because it ensures that even if adversaries are able to capture encrypted data, decrypting it without the proper keys is computationally infeasible.
Once the ransomware encrypts the files, it performs the standard post-encryption steps: changing the desktop wallpaper to display a ransom note and printing that same note on any connected printers. This extra step amplifies the pressure on victims, making it harder to ignore the attack. The ransom note provides clear instructions on how to pay the ransom in exchange for the decryption key and prevents access to the encrypted data.
Lynx’s focus on operational efficiency extends to its attack methods, making it one of the more successful ransomware operations in recent memory. The group’s dedication to ensuring its affiliates have access to the right tools, including preconfigured malware packages, is a key component of its success.
The Double-Extortion Tactic
Lynx operates with a “double-extortion” strategy, a hallmark of many modern ransomware attacks. In this model, the attackers not only encrypt data but also exfiltrate sensitive information, which they threaten to release publicly unless the victim agrees to pay the ransom. The stolen data is then exposed on the group’s dedicated leak site, adding another layer of pressure on the victim to comply with the ransom demands.
This tactic creates a vicious cycle for victims. If they refuse to pay, they risk the public exposure of confidential or proprietary data, which can have serious reputational and financial consequences. Organizations facing such a threat may feel compelled to comply with the ransom demand to avoid the fallout from a public data leak, even if they have secure backups and other recovery mechanisms in place.
Geographical Reach and Victim Impact
Cyble Vision Threat Library (Source: Cyble Vision)
Lynx ransomware has shown a broad geographical reach, affecting organizations across several continents. Countries such as the United States, United Kingdom, Germany, Canada, France, Spain, and South Korea have been frequent targets of the group’s campaigns. In total, over 20 countries have fallen victim to Lynx attacks, spanning a variety of regions from Europe to Asia and the Americas.
The industries impacted by Lynx ransomware are also diverse, encompassing sectors ranging from agriculture and food and beverages to critical infrastructure, manufacturing, and technology. This widespread targeting highlights the indiscriminate nature of the group’s activities and its ability to adapt to a variety of environments.
Lynx’s expansion is supported by its use of sophisticated malware families and attack vectors, such as phishing emails, malicious downloads, and hacking forums. These methods allow the group to gain access to a victim’s system, ensuring that the ransomware can spread effectively within compromised networks.
Malware Families and Techniques
Lynx utilizes a variety of tactics and techniques to infiltrate systems and maintain access. The attack lifecycle typically begins with initial access through phishing emails or leveraging compromised credentials (e.g., pass-the-hash or brute-force attacks). Once inside, Lynx actors execute their payload, often using PowerShell or Python to run commands that deliver the ransomware payload to the target machine.
After executing the malicious code, Lynx works to maintain persistence by modifying system settings such as registry keys or creating scheduled tasks that ensure the ransomware remains active even after system reboots. The group’s use of Privilege Escalation methods, like access token manipulation, further allows it to gain control over the system and expand its reach within the network.
Defense evasion is also a key component of Lynx’s strategy. The group uses file obfuscation and clearing Windows event logs to avoid detection by security software, ensuring that their activities remain hidden for as long as possible. They also use techniques like Bypassing User Account Control (UAC) to gain administrative privileges and ensure uninterrupted access to the target system.
Once the ransomware is fully deployed, Lynx focuses on data exfiltration. This often occurs over command-and-control (C2) channels, where the group transfers stolen data to external servers. As a result, not only are organizations faced with the encryption of their data but also with the risk of sensitive information being leaked or sold on underground forums.
Conclusion
Lynx ransomware is a highly advanced cyber threat, using a ransomware-as-a-service (RaaS) model and double-extortion tactics to target organizations globally. Its strong encryption methods and broad reach make it a challenge for businesses to defend against.
To combat such levels of threats, understanding the tactics used by groups like Lynx is crucial. Organizations can enhance their defense with early detection, strong access controls, and proactive threat hunting.
Cyble plays a key role in helping businesses stay protected from these threats. With advanced AI-driven platforms like Cyble Vision and Cyble Hawk, Cyble provides real-time threat intelligence, vulnerability management, and monitoring, empowering organizations to protect against cyberattacks and ransomware, including those from groups like Lynx.
Defensive Measures and Recommendations
To protect against the threat posed by Lynx ransomware, organizations should prioritize early detection and strong access controls.
- Use multi-factor authentication (MFA) to access critical systems.
- Ensure regular patching of vulnerabilities to protect against exploits.
- Conduct continuous threat monitoring to detect potential attacks early.
- Implement a comprehensive backup strategy to recover data in case of an attack.
- Isolate critical systems through network segmentation to prevent lateral spread of ransomware.
- Regularly back up important files offline to avoid paying the ransom.
- Stay informed about emerging ransomware variants like Lynx.
- Invest in proactive defense mechanisms to strengthen cybersecurity and reduce the risk of attacks.
MITRE Attack Techniques Associated with Lynx Ransomware Group
MITRE ATT&CK (Source: Cyble Vision)
- Domain Accounts (T1078.002): Observed NTLM and Kerberos authentication attempts using administrative credentials.
- Scheduled Task (T1053.005): Lynx creates scheduled tasks to maintain persistence and execute on system startup or at intervals.
- Command and Scripting Interpreter (T1059): Abuses command/script interpreters to execute commands and scripts on various platforms.
- Scheduled Task (T1053.005): Maintains persistence by creating scheduled tasks.
- Domain Accounts (T1078.002): Observed NTLM and Kerberos authentication attempts using administrative credentials.
- Registry Run Keys / Startup Folder (T1547.001): Adds programs to startup folders or registry run keys to execute at login.
- Modify Authentication Process (T1556): Uses phishing to deceive users into downloading malicious files.
- Scheduled Task (T1053.005): Creates tasks to ensure execution.
- Domain Accounts (T1078.002): Uses administrative credentials for escalation.
- Access Token Manipulation (T1134): Modifies access tokens to escalate privileges.
- Registry Run Keys / Startup Folder (T1547.001): Adds entries to startup folders for persistence.
- Bypass User Account Control (T1548.002): Bypasses UAC to execute with elevated privileges.
- Obfuscated Files or Information (T1027): Uses obfuscation to evade detection.
- Match Legitimate Name or Location (T1036.005): Disguises malicious files by mimicking legitimate system files.
- Clear Windows Event Logs (T1070.001): Clears event logs to hide intrusion activity.
- File Deletion (T1070.004): Deletes files like backups and logs to hinder analysis.
- Access Token Manipulation (T1134): Modifies tokens to escalate privileges.
- Deobfuscate/Decode Files or Information (T1140): Decodes payloads at runtime to evade detection.
