
Command-line options of linux version of Lynx ransomware | Source: Group-IB
A new report by Group-IB has unveiled the sophisticated operations of Lynx Ransomware-as-a-Service (RaaS), a criminal network that combines a highly organized affiliate program with advanced ransomware capabilities to target businesses worldwide. The report details Lynx’s infrastructure, technical arsenal, and strategies for ransomware deployment and victim extortion.
According to Group-IB, Lynx distinguishes itself from other ransomware groups through its structured ecosystem, which offers affiliates tools for managing attacks efficiently. Fernando Ortega, a Malware Researcher at Group-IB, highlights: “Lynx has emerged as a formidable RaaS operator by combining a versatile arsenal of ransomware builds, a structured affiliate ecosystem, and systematic extortion tactics.”
Key findings from the report include:
- Structured Affiliate Panel:
The Lynx panel is divided into sections like “News,” “Companies,” “Chats,” “Stuffers,” and “Leaks,” enabling affiliates to:- Manage victim profiles.
- Generate customized ransomware builds.
- Schedule data leak publications on their Dedicated Leak Site (DLS).
- Cross-Platform Arsenal:
Lynx provides affiliates with a comprehensive “All-in-One Archive”, featuring ransomware builds for Windows, Linux, and ESXi systems. These builds support a range of architectures, including ARM, MIPS, PPC, and more, ensuring maximum reach and impact in diverse network environments. - Encryption Customization:
Affiliates can choose from multiple encryption modes—fast, medium, slow, entire—allowing them to balance encryption speed and data volume. The use of Curve25519 Donna and AES-128 encryption underscores Lynx’s emphasis on robust cryptography. - Double Extortion Tactics:
Stolen data is exposed on Lynx’s DLS if victims fail to pay the ransom, adding pressure to comply. The report highlights, “The dedicated leak site (DLS) of the Lynx ransomware serves as a platform where attackers publish announcements regarding attacks and disclose leaked data from their victims.” - Professional Recruitment:
Lynx actively recruits skilled penetration testing teams via dark web forums, emphasizing operational security and stringent vetting processes. Recruitment posts highlight features like “reliable encryption algorithms” and “silent mode”, showcasing the group’s focus on quality.
Group-IB’s analysis of Lynx operations reveals a systematic approach to cybercrime:
- Affiliates gain access to targeted networks via penetration testing or other means.
- Customized ransomware builds are deployed across various systems, exploiting their diverse architectures.
- Victim management tools in the affiliate panel streamline communication, ransom negotiations, and extortion tactics.
- Data leaks are scheduled if ransom demands are unmet, amplifying pressure on victims.
The ransomware employs multi-threaded encryption to maximize efficiency and uses features like silent encryption, which avoids adding extensions or leaving visible ransom notes during the attack.
Group-IB found significant code overlap between Lynx ransomware and the previously reported INC ransomware. A BinDiff analysis revealed over 90% similarity in the Linux ESXi variant, suggesting that Lynx may have acquired or adapted INC’s source code.
For a detailed breakdown of Lynx’s operations and technical features, visit Group-IB’s official website.
Related Posts:
- 20+ Victims and Counting: Lynx Ransomware’s Swift Rise
- Silent Lynx APT Group: A New Espionage Threat Targeting Central Asia
- Lynx Ransomware: The Evolution of INC Ransomware into a Potent Cyber Threat
- The Cobalt hacker group is still active, although the leader was arrested
- Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries