Lynx ransomware, a rebranded and advanced variant of INC ransomware, operates as a Ransomware-as-a-Service (RaaS) model employing sophisticated tactics like double extortion and advanced encryption. It has targeted various industries in the U.S. and UK, demonstrating high adaptability and notable cyber incidents. The article discusses its origins, tactics, and defense strategies required to combat this growing cybersecurity threat.
Affected: U.S. and UK industries including retail, real estate, finance, energy, law services.
Affected: U.S. and UK industries including retail, real estate, finance, energy, law services.
Keypoints :
- Lynx ransomware is a rebranded version of the INC ransomware, detected in mid-2024.
- It operates under a Ransomware-as-a-Service (RaaS) model.
- The ransomware has targeted multiple industries, particularly in the U.S. and UK.
- Notable cyber incidents include attacks on Electrica Energy Supplier and Hunter Taubman Fischer & Li LLC.
- The ransomware employs double extortion tactics by encrypting data and threatening public release.
- Advanced tactics include process discovery, service termination, and privilege escalation.
- Defensive strategies involve regular software updates, robust backup solutions, and endpoint protection.
MITRE Techniques :
- MITRE T1057 β Process Discovery: Lynx creates snapshots of running processes using CreateToolhelp32Snapshot.
- MITRE T1489 β Service Stop: It terminates processes by using OpenProcess and TerminateProcess to disable critical services.
- MITRE T1049 β System Network Connections Discovery: The ransomware enumerates running services to identify and disrupt critical systems.
- MITRE T1018 β Remote System Discovery: Lynx performs discovery to identify remote system connections to target.
- MITRE T1486 β Data Encrypted for Impact: During its operation, data is systematically encrypted to exert pressure on victims.
- MITRE T1587.001 β Develop Capabilities: Malware: The ransomware enhances its capabilities, utilizing advanced function calls for encrypting files.
- MITRE T1068 β Exploitation for Privilege Escalation: Lynx employs privilege escalation tactics to gain access to restricted files.
- MITRE T1203 β Exploitation for Client Execution: Techniques are utilized to exploit vulnerabilities in client software to execute attacks.
- MITRE T1106 β Native API: It utilizes Windows APIs for operations such as process termination and file encryption.
- MITRE T1573.001 β Encrypted Channel: Symmetric Cryptography: Implements elliptic curve cryptography and AES for secure encryption.
- MITRE T1573.002 β Encrypted Channel: Asymmetric Cryptography: Uses asymmetric methods for key exchange in the encryption process.
- MITRE T1027 β Obfuscated Files or Information: The malware uses obfuscation to hide its presence and evade detection.
- MITRE T1083 β File and Directory Discovery: Lynx systematically discovers files and directories to encrypt.
Indicator of Compromise :
- [SHA-256] 001938ED01BFDE6B100927FF8199C65D1BFF30381B80B846F2E3FE5A0D2DF21D
- [SHA-256] 0260258F6F083AFF71C7549A6364CB05D54DD27F40CA1145E064353DD2A9E983
- [SHA-256] 06F10C935FAE531E070C55BDE15EE3B48B6BB289AF237E96EEC82124C19D1049
- [SHA-256] 0E4246409CDAD59E57C159C7CC4D75319EDF7D197BC010174C76FE1257C3A68E
- [MD5] 4DAFCA5A87F41610568B206F8BBB35A6
Full Story: https://www.picussecurity.com/resource/blog/lynx-ransomware