Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extortion tactics, exfiltrating data before encryption. The group uses various delivery mechanisms, including phishing emails and malicious downloads. Technical analysis reveals the use of AES-128 and Curve25519 encryption algorithms, with files appended with a .lynx extension. The ransomware terminates specific processes, encrypts network drives, and uses the Restart Manager API to target locked files. Comparison with INC ransomware shows a 70.8% overlap in shared functions, indicating code reuse. Author: AlienVault
Related Tags:
double extortion
INC ransomware
Lynx ransomware
Architecture
T1078.003
T1569.002
encryption
T1070.004
T1070.001
Associated Indicators:
D147B202E98CE73802D7501366A036EA8993C4C06CDFC6921899EFDD22D159C6
571F5DE9DD0D509ED7E5242B9B7473C2B2CBB36BA64D38B32122A0A337D6CF8B
CA9D2440850B730BA03B3A4F410760961D15EB87E55EC502908D2546CD6F598C
05E4F234A0F177949F375A56B1A875C9CA3D2BEE97A2CB73FC2708914416C5A9
63E0D4E861048F581C9E5C64B28A053EB0023D58EEBF2B943868D5F68A67A8B7
A0CEB258924EF004FA4EFEEF4BC0A86012AFDB858E855ED14F1BBD31CA2E42F5
11CFD8E84704194FF9C56780858E9BBB9E82FF1B958149D74C43969D06EA10BD
EAA0E773EB593B0046452F420B6DB8A47178C09E6DB0FA68F6A2D42C3F48E3BC
82EB1910488657C78BEF6879908526A2A2C6C31AB2F0517FCC5F3F6AA588B513