20+ Victims and Counting: Lynx Ransomware’s Swift Rise

Lynx Ransomware
The Tor site of Lynx | Image: Rapid7

In a recent report from Rapid7 Labs, the Lynx ransomware group has emerged as a new threat in the ever-evolving landscape of cybercrime. Identified in July 2024, Lynx has already claimed more than 20 victims across various industry sectors. While the group portrays itself as “ethical” in its victim selection, avoiding targets like hospitals and governmental institutions, their actions tell a different story.

Lynx’s press release, dated July 24th, 2024, sets an unusual tone for a ransomware group. They claim that financial gain drives them, but they take great care to avoid harming essential societal organizations like non-profits, hospitals, and government institutions. The group even emphasizes that they maintain an ethical stance, raising questions about the blurred lines in ransomware motivations.

However, despite this “ethical” posturing, Lynx employs both single and double extortion techniques to pressure victims into compliance. After encrypting files, they leak sensitive data on their public blog if ransoms aren’t paid, tarnishing their claims of limiting harm.

When Lynx strikes, victims are greeted by a familiar sight—a readme.txt file that leads them to a Tor-hosted portal. Victims are provided with a unique ID to log in and initiate communication with the group. Additionally, Lynx runs a public blog and leaks page, highlighting their victims and publicly displaying stolen data to compel ransom payments.

Through detailed analysis, Rapid7 found that the Lynx ransomware group shares similarities with another notorious strain, INC ransomware. The report suggests that Lynx may have purchased the source code from INC, with a binary diff analysis showing a 48% similarity overall and a 70.8% function overlap between the two. Despite these overlaps, there’s no definitive proof that Lynx ransomware is derived directly from INC’s code, leaving the true origins of Lynx somewhat unclear.

Lynx’s operational sophistication is apparent in its execution. Rapid7’s analysis uncovered key functionalities that make this ransomware a formidable threat:

  • Process and Service Management: Lynx terminates system processes that might interfere with the encryption, particularly targeting backup services. It uses Windows APIs to stop services and ensure the smooth execution of its encryption process.
  • Shadow Copy Deletion: Like many modern ransomware strains, Lynx deletes volume shadow copies, rendering standard backup methods useless and making recovery harder without paying the ransom.
  • File Encryption: Lynx targets not only local files but also network shares and hidden drives. The ransomware can be configured to focus on specific files or directories, increasing the precision of the attack. This capability allows attackers to maximize the impact on a victim’s network, further enforcing the extortion efforts.

As organizations grapple with these threats, investing in robust cybersecurity measures and staying informed about the latest ransomware techniques is crucial.

Related Posts: