Lynx Ransomware: A Rebranding of INC Ransomware

Oct. 14, 2024, 10:45 a.m.

Tags
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
External References
Description

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extortion tactics, exfiltrating data before encryption. The group uses various delivery mechanisms, including phishing emails and malicious downloads. Technical analysis reveals the use of AES-128 and Curve25519 encryption algorithms, with files appended with a .lynx extension. The ransomware terminates specific processes, encrypts network drives, and uses the Restart Manager API to target locked files. Comparison with INC ransomware shows a 70.8% overlap in shared functions, indicating code reuse.

Date

Published: Oct. 14, 2024, 10:18 a.m.

Created: Oct. 14, 2024, 10:18 a.m.

Modified: Oct. 14, 2024, 10:45 a.m.

Indicators

fef674fce37d5de43a4d36e86b2c0851d738f110a0d48bae4b2dab4c6a2c373e

fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced

f96ecd567d9a05a6adb33f07880eebf1d6a8709512302e363377065ca8f98f56

ee1d8ac9fef147f0751000c38ca5d72feceeaae803049a2cd49dcce15223b720

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6

e17c601551dfded76ab99a233957c5c4acf0229b46cd7fc2175ead7fe1e3d261

ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c

c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef

a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5

9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d

869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947

82eb1910488657c78bef6879908526a2a2c6c31ab2f0517fcc5f3f6aa588b513

7f104a3dfda3a7fbdd9b910d00b0169328c5d2facc10dc17b4378612ffa82d51

64b249eb3ab5993e7bcf5c0130e5f31cbd79dabdcad97268042780726e68533f

63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7

571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b

36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e

508a644d552f237615d1504aa1628566fe0e752a5bc0c882fa72b3155c322cef

3156ee399296d55e56788b487701eb07fd5c49db04f80f5ab3dc5c4e3c071be0

29a25e971dbb87d3adcee75693782d978a3ca9f64df0a59b015ca519a4026c49

1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a

1754c9973bac8260412e5ec34bf5156f5bb157aa797f95ff4fc905439b74357a

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9

11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd

02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461

martina.lestariid1898@proton.me

Download all indicators here!

Attack Patterns

INC ransomware

Lynx ransomware

Lynx

T1569.002

T1070.001

T1078.003

T1490

T1012

T1070.004

T1562.001

T1489

T1486

T1082

T1083

T1055

T1134

T1112

T1078

Additional Informations

Architecture

Retail

Finance

United Kingdom of Great Britain and Northern Ireland

United States of America