Lynx Ransomware: INC Ransomware Reincarnated

Overview

The Lynx ransomware group is a financially motivated threat actor operating under a Ransomware-as-a-Service (RaaS) model. Emerging as a successor to the INC ransomware group in July 2024, Lynx has demonstrated a sophisticated double-extortion approach, targeting organizations across various sectors in the U.S. and UK. A significant portion of Lynx’s source code is derived from INC ransomware, highlighting a trend of code reuse within the criminal underground. Their operations are characterized by data exfiltration prior to encryption, followed by the publication of stolen data on a leak site if ransom demands are not met. The group claims to avoid targeting government institutions, hospitals, and non-profit organizations.

Known Aliases

• Lynx Ransomware (Primary Alias)
• INC Ransomware (Previous Alias)

Country of Origin

The country of origin for Lynx aka INC ransomware is currently unknown.

Most Recent Attacks of Lynx Ransomware

Lynx ransomware has been linked to several significant attacks since its emergence, targeting a range of industries:

• Multiple U.S. Utilities (July–November 2024): Several utility companies across the United States, including those in the energy, oil, and gas sectors, were targeted. These attacks caused significant operational disruptions and exposed vulnerabilities in critical infrastructure. Specific victim names were not publicly released.
• Zamzows, Inc. (February 2025): A family-owned lawn, garden, and pet supply retailer in Idaho experienced a data breach and data exfiltration. Attackers provided evidence of stolen data.
• CONAD Retail Chain (January 2025): One of Italy’s largest retail chains suffered a cyberattack resulting in the compromise of internal documents and some employee information, although the company claimed the majority of data was not sensitive.
• Hunter Taubman Fischer & Li LLC (January 2025): A U.S.-based law firm specializing in corporate and securities law was breached, leading to the compromise of sensitive client information.

MITRE ATT&CK Tactics and Techniques of Lynx Ransomware

Lynx ransomware employs the following MITRE ATT&CK tactics and techniques:

• Initial Access: T1566.001 (Phishing), likely T1195 (Drive-by Compromise).
• Execution: T1204.002 (User Execution), potentially T1059.001 (Command and Scripting Interpreter), T1547.001 (Software Deployment).
• Persistence: Potentially T1070.001 (Boot or Logon Autostart Execution), T1547.001 (Software Deployment).
• Exfiltration: T1020 (Data Encrypted for Impact), T1005 (Data from Local System), T1041 (Exfiltration Over C2).
• Command and Control (C2): Specific techniques unknown.
• Impact: T1486 (Data Encrypted for Impact), T1490.002 (Data Staged), T1005 (Data from Local System).

Lynx Ransomware Attack Method

The Lynx ransomware employs a sophisticated attack method with several key stages:

1. Execution and Command-Line Arguments: The ransomware is executed using command-line arguments that allow attackers granular control over the encryption process. These options include:

• --file <filePath>: Encrypting only specified files.
• --dir <dirPath>: Encrypting only specified directories.
• --mode {fast, medium, slow, entire}: Controlling the percentage of each file encrypted (5%, 15%, 25%, or 100%). The default is 15%.
• --help: Displaying help information.
• --verbose: Enabling verbose output.
• --silent: Enabling silent encryption (no file extension or ransom note added).
• --stop-processes: Attempting to stop processes using the Restart Manager.
• --encrypt-network: Encrypting network shares.
• --load-drives: Loading hidden drives (this action can corrupt the boot loader).
• --hide-cmd: Hiding the console window.
• --no-background: Preventing the changing of the desktop background image.
• --no-print: Preventing the printing of the ransom note.
• --kill: Killing specified processes and services.
• --safe-mode: Attempting to enter safe mode.

2. Process and Service Termination: Lynx ransomware prioritizes maximizing damage by terminating processes and services containing specific keywords:

• Processes containing: SQL, Veeam, Backup, Exchange, Java, Notepad
• Services containing: SQL, Veeam, Backup, Exchange

This action targets common backup and database applications to hinder recovery efforts.

3. File Encryption: The ransomware encrypts files, adding the “.LYNX” extension. It avoids encrypting files within specific folders (Windows, Program Files, Program Files (x86), $RECYCLE.BIN, Appdata) and files with certain extensions (.exe, .msi, .dll, .lynx).

4. Post-Encryption Actions: After encryption, Lynx performs several actions:

• Empties the Recycle Bin.
• Mounts drives for encryption.
• Deletes shadow copies (volume shadow copies).
• Changes the desktop wallpaper to display the ransom note.
• Prints the ransom note to connected printers (if enabled).

5. Ransom Note Delivery: The ransom note (“README.txt”) directs victims to a Tor-based chat site for communication and payment instructions. Older samples used a slightly different ransom note with different Tor sites and email addresses. The Tor site requires registration with a unique ID before communication can begin.

Common Methods of Infiltration Used by Lynx Ransomware

• Phishing Emails: Deceptive emails designed to trick users into revealing sensitive information or downloading malicious attachments.
• Malicious Downloads: Compromised websites or links leading to the download and installation of the ransomware.
• Exploitation of Vulnerabilities: Exploits vulnerabilities like Zero Days, given the sophistication of the group.

Malware/Ransomware Strain(s) Used by Lynx Ransomware

• Lynx Ransomware (Primary)
• The group’s activities are a direct continuation of the INC ransomware group.

IOCs (Indicators of Compromise) of a Lynx Ransomware Attack:

SHA256 hashes as Indicators of Compromise (IOCs) associated with the Lynx ransomware:

• 31de5a766dca4eaae7b69f807ec06ae14d2ac48100e06a30e17cc9acccfd5193
• 3e68e5742f998c5ba34c2130b2d89ca2a6c048feb6474bc81ff000e1eaed044e
• 432f549e9a2a76237133e9fe9b11fbb3d1a7e09904db5ccace29918e948529c6
• 468e3c2cb5b0bbc3004bbf5272f4ece5c979625f7623e6d71af5dc0929b89d6a
• 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412
• 571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b
• 589ff3a5741336fa7c98dbcef4e8aecea347ea0f349b9949c6a5f6cd9d821a23
• 80908a51e403efd47b1d3689c3fb9447d3fb962d691d856b8b97581eefc0c441
• 85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683
• 97c8f54d70e300c7d7e973c4b211da3c64c0f1c95770f663e04e35421dfb2ba0
• 9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896
• b378b7ef0f906358eec595777a50f9bb5cc7bb6635e0f031d65b818a26bdc4ee
• d5ca3e0e25d768769e4afda209aca1f563768dae79571a38e3070428f8adf031
• eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
• ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49
• f71fc818362b1465fc1deb361de36badc73ac4dd9e815153c9022f82c4062787

These hashes can be used by security tools to detect and block the Lynx ransomware. Note that new variants may emerge with different hashes.