Lynx is a Ransomware-as-a-Service group that emerged in mid-2024, likely rebranding or repurposing the INC ransomware source code to produce Windows and Linux (including ESXi) variants that use AES-128 CTR with Curve25519 and append a .lynx extension. The group operates via affiliates, practices double extortion through a public leak site, and by August 2025 had claimed nearly 300 victims concentrated in the United States and industries like Manufacturing and Business Services. #Lynx #INC
Keypoints
- Lynx emerged in mid-2024 and is widely believed to be a rebrand or derivative of the INC ransomware family based on significant source code overlap.
- The group operates as a Ransomware-as-a-Service (RaaS) with an affiliate program that provides binaries, a management panel, negotiation chat, and leak site access.
- Lynx employs double extortion: data exfiltration prior to encryption and publication of stolen data on a dedicated leak site.
- Main intrusion vectors include stolen credentials (purchased or from infostealer logs) and phishing, with affiliates also using initial access brokers and malicious downloads.
- Technical capabilities include AES-128 CTR + Curve25519 encryption (appending .lynx), termination of backup/database services, shadow copy deletion, hidden volumes, and cross-platform builds for Windows, Linux, and ESXi.
- Geographic focus is primarily the United States, with significant victims in the UK, Canada, Australia, and Germany; top targeted industries include Manufacturing, Business Services, Technology, and Transportation.
- Mitigations emphasize MFA, phishing defenses, network segmentation, isolated backups, monitoring for early signs (shadow copy deletion, process termination), and rehearsed incident response plans.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter â Supports command-line arguments on both platforms (e.g., ââŚâmode, âesxiâŚâ) to automate encryption, kill processes, or control behavior. Quote: ââŚâmode, âesxiâŚâ
- [T1134 ] Access Token Manipulation â Escalates privileges by enabling SeTakeOwnershipPrivilege and taking ownership of file objects to change DACLs for encryption. Quote: âEnabling SeTakeOwnershipPrivilege and taking ownership of file objectsâ
- [T1068 ] Exploitation for Privilege Escalation â Attempts to bypass file access restrictions by exploiting privilege escalation opportunities when access checks fail. Quote: âAttempts to bypass file access restrictions by exploiting privilege escalation opportunitiesâ
- [T1203 ] Exploitation for Client Execution â Uses exploitation techniques to execute code with elevated permissions when access checks fail. Quote: âClient execution attempts when access checks failâ
- [T1490 ] Inhibit System Recovery â Deletes or resizes Volume Shadow Copies and removes VM snapshots on ESXi to block recovery. Quote: âDeletes or resizes Volume Shadow Copies⌠removes VM snapshots on ESXiâ
- [T1489 ] Service Stop â Terminates critical services (SQL, Exchange, backup, Veeam) and their dependencies to disrupt recovery mechanisms. Quote: âTerminates critical services (SQL, Exchange, backup, Veeam) and their dependenciesâ
- [T1057 ] Process Discovery â Uses CreateToolhelp32Snapshot and iterates processes with Process32FirstW / Process32NextW to identify targets. Quote: âCreateToolhelp32Snapshot⌠Process32FirstW / Process32NextWâ
- [T1049 ] System Network Connections Discovery â Enumerates system services and remote connections to expand targeting and identify services for termination. Quote: âEnumerates system services and remote connectionsâ
- [T1018 ] Remote System Discovery â Discovers remote systems and networked resources to identify encryption targets. Quote: âRemote system discovery to identify services for terminationâ
- [T1005 ] Data from Local System â Enumerates local files and mounted drives, including hidden volumes loaded with load-drives, before encryption. Quote: âEnumerates local files and mounted drives, including hidden volumes loaded with load-drivesâ
- [T1083 ] File and Directory Discovery â Recursively scans directories while avoiding system-critical folders to identify documents and databases for encryption. Quote: âRecursively scans directories, avoiding system-critical foldersâ
- [T1564.001 ] Hidden Artifacts â Uses techniques to evade detection, manipulating file access and hiding activities during preparation. Quote: âUses techniques to evade detection⌠hiding activities during preparationâ
- [T1486 ] Data Encrypted for Impact â Encrypts files with AES-128 CTR + Curve25519 Donna, appending .lynx and dropping ransom notes (set as wallpaper or printed). Quote: âEncrypts files with AES-128 CTR + Curve25519 Donna⌠appending .lynxâ
- [T1573.001 ] Encrypted Channel (Symmetric) â Uses AES for symmetric encryption channels in its cryptographic operations. Quote: âUses AES for secure encryptionâ
- [T1573.002 ] Encrypted Channel (Asymmetric) â Uses ECC (Curve25519) and key exchange with SHA512 derivation for asymmetric components of encryption. Quote: âUses ECC (Curve25519) and AES⌠key exchange with SHA512 derivationâ
- [T1027 ] Obfuscated Files or Information â Encodes the ransom note in Base64 inside the binary before dropping it in encrypted directories. Quote: âEncodes ransom note in Base64 inside the binaryâ
Indicators of Compromise
- [File Extension ] Encrypted file marker â .lynx (appended to encrypted files)
- [File Names ] Ransom artifacts â ransom notes dropped, sometimes set as wallpaper or printed (example: Base64-encoded ransom note inside binary)
- [Cryptography ] Encryption schemes observed â AES-128 CTR, Curve25519 Donna, SHA512 key derivation (used in sample binaries)
- [Services/Processes ] Targets of termination â SQL, Exchange, Veeam, backup services (observed being stopped by malware)
- [Infrastructure ] Leak site and panel usage â public data leak site for victim publication and affiliate management panel with mirrors (example: victim announcements and panel ânewsâ updates)
Read more: https://socradar.io/dark-web-profile-lynx-ransomware/