Keypoints
- Lynx discovered July 2024, reuses substantial INC ransomware code.
- Targets multiple sectors (retail, real estate, architecture, financial services) in the U.S. and UK.
- Delivery via phishing emails, malicious downloads, and hacking forums; operates as RaaS and uses double-extortion (exfiltrate then encrypt).
- Technical payload: Windows C++ binary using AES-128 in CTR mode and Curve25519 Donna; encrypted files get the .lynx extension.
- Runtime arguments allow selective behavior: designate directories, encrypt network shares, mount hidden drives, terminate services/processes, enable verbose logging, and modify background images.
- Operational behavior includes scanning and mounting drives, killing backup/related processes, deleting shadow copies, using Restart Manager API to access locked files, and printing a report via Microsoft OneNote after encryption.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols – Used as an Initial Access/communication vector according to the article: ‘Phishing emails used to deceive users into revealing sensitive information.’
- [T1203] Exploitation for Client Execution – Malicious downloads were used to install the ransomware: ‘Malicious downloads that install ransomware onto victims’ systems.’
- [T1041] Exfiltration Over Command and Control Channel – Data is exfiltrated prior to encryption for leverage: ‘Data exfiltration prior to encryption for double extortion.’
- [T1486] Data Encrypted for Impact – The payload encrypts files to deny access: ‘Data encrypted to render it inaccessible to victims.’
Indicators of Compromise
- [File Hashes] Lynx Windows EXE samples – 571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b, eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc (and 1 more)
- [File Hashes] INC Windows EXE samples – 02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461, 05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9 (and many more)
- [Domains / Leak Site] Public leak site and blog – lynxblog[.]net; multiple Tor leak/chat onion URLs such as lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion
- [Email] Contact address from ransom note – martina.lestariid1898@proton[.]me
- [File/Extension] Encrypted file marker and ransom note – .lynx extension on encrypted files; README.txt ransom note containing Base64-encoded content
Lynx samples analyzed are Windows C++ binaries that perform full-disk and network-share encryption using AES-128 in CTR mode combined with Curve25519 (Donna) for key exchange. On execution, the binary accepts command-line arguments to control behavior (e.g., target directories, enable verbose logging, encrypt network shares, mount hidden volumes); if no arguments are provided it defaults to encrypting all accessible files and drives and removes shadow copies and backup partitions to hinder recovery. Encrypted files receive a .lynx extension and the malware drops a README.txt ransom note (often embedded/base64-encoded inside the binary).
Before encrypting data, Lynx enumerates drive letters, attempts to mount and access volumes, and kills known backup/agent processes (examples include Veeam and other listed services) to unlock files. The sample uses the Restart Manager API (RstrtMgr) to identify and terminate or restart applications holding file handles so it can encrypt in-use files; after completing encryption it attempts to generate/send a report through Microsoft OneNote as part of its post-encryption routine.
Operationally the group pairs encryption with data theft (exfiltration) for double extortion and publishes stolen data on a public leak site and Tor mirrors. Analysts noted PDB paths including “Lynx” confirming attribution to the variant; code comparison with INC shows substantial reuse, and IOCs include multiple SHA256 hashes, onion URLs for the leak/chat sites, and the contact email address embedded in ransom notes.
Read more: https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/