Comment
Author: Admin | 2025-04-28
What is Lynx ransomware?In mid-2024, a new ransomware actor named Lynx emerged in the threat landscape. This Ransomware-as-a-Service (RaaS) strain is known to target organizations in the finance, architecture, and manufacturing sectors [1] [2]. However, Darktrace’s Threat Research teams also identified Lynx incidents affecting energy and retail organizations in the Middle East and Asia-Pacific (APAC) regions. Despite being a relatively new actor, Lynx’s malware shares large portions of its source code with the INC ransomware variant, suggesting that the group may have acquired and repurposed the readily available INC code to develop its own strain [2].What techniques does Lynx ransomware group use?Lynx employs several common attack vectors, including phishing emails which result in the download and installation of ransomware onto systems upon user interaction. The group poses a sophisticated double extortion threat to organizations, exfiltrating sensitive data prior to encryption [1]. This tactic allows threat actors to pressure their targets by threatening to release sensitive information publicly or sell it if the ransom is not paid. The group has also been known to gradually release small batches of sensitive information (i.e., “drip” data) to increase pressure.Once executed, the malware encrypts files and appends the extension ‘.LYNX’ to all encrypted files. It eventually drops a Base64 encoded text file as a ransom note (i.e., README.txt) [1]. Should initial file encryption attempts fail, the operators have been known to employ privilege escalation techniques to ensure full impact [2].In the Annual Threat Report 2024, Darktrace’s Threat Research team identified Lynx ransomware as one
Add Comment