Lynx Ransomware: A Rebranding of INC Ransomware
Oct. 14, 2024, 10:45 a.m.
Tags
External References
Description
Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extortion tactics, exfiltrating data before encryption. The group uses various delivery mechanisms, including phishing emails and malicious downloads. Technical analysis reveals the use of AES-128 and Curve25519 encryption algorithms, with files appended with a .lynx extension. The ransomware terminates specific processes, encrypts network drives, and uses the Restart Manager API to target locked files. Comparison with INC ransomware shows a 70.8% overlap in shared functions, indicating code reuse.
Date
Published: Oct. 14, 2024, 10:18 a.m.
Created: Oct. 14, 2024, 10:18 a.m.
Modified: Oct. 14, 2024, 10:45 a.m.
Indicators
fef674fce37d5de43a4d36e86b2c0851d738f110a0d48bae4b2dab4c6a2c373e
fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
f96ecd567d9a05a6adb33f07880eebf1d6a8709512302e363377065ca8f98f56
ee1d8ac9fef147f0751000c38ca5d72feceeaae803049a2cd49dcce15223b720
eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6
e17c601551dfded76ab99a233957c5c4acf0229b46cd7fc2175ead7fe1e3d261
ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c
c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef
a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d
869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947
82eb1910488657c78bef6879908526a2a2c6c31ab2f0517fcc5f3f6aa588b513
7f104a3dfda3a7fbdd9b910d00b0169328c5d2facc10dc17b4378612ffa82d51
64b249eb3ab5993e7bcf5c0130e5f31cbd79dabdcad97268042780726e68533f
63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7
571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b
36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e
508a644d552f237615d1504aa1628566fe0e752a5bc0c882fa72b3155c322cef
3156ee399296d55e56788b487701eb07fd5c49db04f80f5ab3dc5c4e3c071be0
29a25e971dbb87d3adcee75693782d978a3ca9f64df0a59b015ca519a4026c49
1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a
1754c9973bac8260412e5ec34bf5156f5bb157aa797f95ff4fc905439b74357a
05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9
11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd
02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461
martina.lestariid1898@proton.me
lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion
lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion
lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion
lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion
lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion
lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion
lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion
lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion
lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion
lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion
lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion
lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion
lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion
lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion
lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion
lynxblog.net
lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion
Attack Patterns
INC ransomware
Lynx ransomware
Lynx
T1569.002
T1070.001
T1078.003
T1490
T1012
T1070.004
T1562.001
T1489
T1486
T1082
T1083
T1055
T1134
T1112
T1078
Additional Informations
Architecture
Retail
Finance
United Kingdom of Great Britain and Northern Ireland
United States of America