Overview of Lynx Ransomware

Lynx Ransomware is a newly emerged and highly sophisticated cyber threat that has been active since mid-2024, already claiming over 20 plus victims across multiple industries. As a rebranded and enhanced variant of the earlier INC Ransomware, Lynx appears to have been built upon the INC Ransomware source code suggesting a direct lineage between the two.  

Operating under the Ransomware-as-a-Service (RaaS) mode, Lynx ransomware strikes with a lethal combination of double extortion and advanced encryption. Victims not only lose access to their systems, but they also face the looming threat of having their stolen data leaked if the ransom isn't paid. The group primarily targets Windows environments, appending the .lynx extension to encrypted files while systematically erasing shadow copies to cripple recovery efforts.  

What makes Lynx particularly dangerous is its highly customizable nature where the affiliates can fine-tune their attacks using command-line arguments, granting them precise control over which files and directories to encrypt. This adaptability makes Lynx a formidable weapon in the hands of cybercriminals.

• Targeted Industries: Retail, Real Estate, Finance, Manufacturing, Construction and Logistic.
• Targeted Regions: North America, Europe and Australia

Lynx primarily targets small and medium-sized businesses. Although the group claims to avoid socially significant organizations, including government agencies, hospitals, and non-profits, its attacks have still resulted in major operational disruptions and significant data breaches, underscoring the serious threat it poses.  

To distribute Lynx ransomware, attackers leverage multiple infiltration methods, including:  

• Phishing emails designed to deceive the recipients to reveal sensitive information
• Malicious downloads that stealthily install ransomware onto targeted systems
• Hacking forums where cybercriminals exchange tools, tactics and resources  

Lynx Ransomware: Recent Operations and Breaches

Since its emergence in July 2024, the Lynx ransomware group has been linked to multiple high-profile cyberattacks.

‍In January 2025, this ransomware group targeted Hunter Taubman Fischer & Li LLC, a U.S. law firm specialized in corporate and securities law. This attack resulted in the exposure of confidential client data, posing serious legal and security risks.  

In December 2024, Electrica, a leading energy supplier, was targeted by the Lynx ransomware group. The attack led to severe operational disruptions and the compromise of sensitive data, highlighting the growing cybersecurity threats faced by critical infrastructure sectors.  

In late 2024, DZS Inc., a global leader in network solutions, fell victim to a Lynx ransomware attack. The threat group claimed responsibility for the breach, exfiltrating approximately 30GB of sensitive data and demanding a staggering $18.1 million ransom.  

‍Technical Analysis

Initial Access

Adversaries use phishing mails to deceive targets into revealing sensitive information, such as login credentials or other valuable data. These deceptive tactics are designed to manipulate victims into unknowingly providing access, which attackers later exploit to carry out their malicious activities.    

Execution

Adversaries leverage Native OS APIs to execute malicious behaviors, interacting directly with low-level system functions related to hardware, memory, and processes. These APIs play a crucial role in system boot and routine operations, allowing the ransomware to bypass security mechanisms and manipulate system resources.  

Privilege Escalation

To achieve privilege escalation, the ransomware invokes the priv_escalation function, which enables SeTakeOwnershipPrivilege on the current process token. This is accomplished using AdjustTokenPrivileges, allowing the malware to take ownership of targeted files and directories. The function then calls AllocateAndInitializeSid to establish a Security Identifier (SID) and configures an EXPLICIT_ACCESS structure with GENERIC_ALL permissions, granting full control over the targeted file. Next, it modifies the file's Access Control List (ACL) using SetEntriesInAclW and SetNamedSecurityInfoW, ensuring that the ransomware maintains unrestricted access.

Once ownership is secured, priv_escalation re-applies the modified ACL, ensuring continued control while resetting the token's privileges to minimize detection risks. This strategic privilege escalation technique enables Lynx ransomware to manipulate protected files, evade security mechanisms, and execute further malicious actions undetected.  

Defense Evasion

Adversaries actively terminate system processes, including anti-virus and security software, to evade detection and circumvent defenses. They achieve this by modifying or disabling security tools, ensuring that their malicious activities remain undetected.

Discovery

Adversaries leveraging Lynx ransomware gather information about active system processes to identify commonly used software and applications within the network. The Enumerate Directory Function in Lynx ransomware is responsible for traversing directories, identifying files for encryption, and handling recursive subdirectory processing.

The process begins with the creation of a README.txt file in the targeted directory, containing the ransom note. This is achieved using CreateFileW to generate the file and WriteFile to insert the ransom instructions, ensuring victims can access the payment details.

Next, the ransomware employs FindFirstFileW to locate the first file or directory entry within the specified directory. It then iterates through all files and subdirectories in a loop, systematically identifying targets for encryption. During this process, the function skips special directories such as "." and "..", reparse points, and files marked with the system attribute (FILE_ATTRIBUTE_SYSTEM).

By systematically scanning and selecting files for encryption, this function ensures comprehensive coverage of the infected system while strategically avoiding unnecessary files that could disrupt the ransomware's execution.

Impact

The Stop Services Function in Lynx ransomware is specifically designed to disable targeted services and their dependencies, disrupting system functionality and hindering recovery efforts.

When executed with the kill flag, Lynx ransomware initiates its attack by enumerating all running processes and terminating those containing specific keywords, including:

• sql
• veeam
• backup
• exchange
• java
• notepad

The process begins by gaining access to the Service Control Manager through OpenSCManagerW, allowing the ransomware to manage system services. It then opens the specified service using OpenServiceW. If the targeted service has dependent services, the function utilizes EnumDependentServices to identify and enumerate them. Each dependent service is recursively processed and terminated using the stop_services function to ensure that no active service interferes with the ransomware's execution.

If a service does not stop immediately, QueryServiceStatusEx is employed to monitor its status, repeatedly attempting to terminate it until it successfully shuts down or reaches a timeout. Once the process is complete, all allocated resources and service handles are cleaned up, ensuring efficient execution without leaving unnecessary traces.  

To access files locked by running processes, Lynx ransomware utilizes the Restart Manager (RM) API. The process begins by initiating an RM session using RmStartSession and registering the target file as a managed resource via RmRegisterResources. The malware then calls RmGetList to identify all processes currently holding handles to the locked file.  

Adversaries alter visual content within an enterprise network or external platforms, compromising the integrity of the original material. This defacement tactic is often used to spread messages, intimidate victims, or falsely claim responsibility for an attack. By modifying websites, internal dashboards, or digital displays, attackers can disrupt operations, damage reputations, and amplify their impact beyond the initial breach.  

As part of its attack, Lynx ransomware creates a temporary image file named “background-image.jpg" in the temp folder. This file contains the ransom note in image format and is set as the desktop wallpaper, ensuring that victims are immediately confronted with the attacker's demands upon system infection.

Encryption

Lynx ransomware employs a combination of Elliptic Curve Cryptography (ECC) and AES to ensure secure encryption. The encryption process begins with ECC key decoding and AES key generation, where the ransomware decodes a Curve25519 ECC public key using base64_decode. It then establishes a shared secret through the Diffie-Hellman key exchange, which is subsequently hashed with SHA-512 to derive the AES encryption key. To optimize encryption efficiency, the AES key undergoes key expansion via AESKeyExpansion, generating round keys for streamlined block encryption.  

Once encryption is complete, all affected files are appended with the .lynx extension, making them inaccessible without the decryption key. This method not only ensures strong data encryption but also serves as a clear indicator of infection.  

The enc_del_shadow_copies function is leveraged to remove shadow copies across all available drives, effectively erasing backup files to obstruct recovery efforts and ensure the encryption process remains irreversible.  

MITRE ATT&CK TACTICS AND TECHNIQUES

‍

Fortifying Cyber Defenses: Shielding Against Lynx Ransomware

Defending against Lynx ransomware requires a multi-layered cybersecurity strategy that strengthens both technical defenses and human awareness. Organizations must proactively address vulnerabilities and prepare for potential attacks with the following key measures:  

• Patch Management and System Updates: Regularly update operating systems, software, and security patches to eliminate exploitable weaknesses that ransomware can target.  
• Secure Backup Strategy: Implement automated, encrypted backups stored offline or in isolated environments to ensure rapid recovery without paying a ransom.
• Email Security and Employee Awareness: Deploy advanced email filtering to block phishing attempts, that is one of the Lynx's primary infection vectors. Conduct regular cybersecurity training to help employees recognize malicious emails and suspicious downloads.
• Endpoint and Network Defense: Utilize next-gen endpoint protection and real-time network monitoring to detect and contain ransomware activities before they spread.  
• Strict Access Controls: Enforce the principle of least privilege to restrict user permissions, minimizing an attacker's ability to escalate privileges and move laterally within a network.
• Incident Response and Readiness: Develop and routinely test a ransomware-specific incident response plan, ensuring swift action to contain threats and restore operations without major disruption.  

Final Thoughts

As ransomware threats continue to evolve, the risk of widespread breaches across organizations remains high. To stay ahead of these sophisticated attacks, LOVI (Loginsoft Vulnerability Intelligence) provides cutting-edge threat intelligence, real-time vulnerability tracking, and proactive defense strategies. By leveraging LOVI, organizations can identify emerging threats, mitigate risks, and fortify their cybersecurity posture against the ever-adaptive ransomwares.  

‍Sources Cited:

1. https://www.theregister.com/2024/10/11/inc_ransomware_lynx/
2. https://www.picussecurity.com/resource/blog/lynx-ransomware
3. https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/  
4. https://www.nextron-systems.com/2024/10/11/in-depth-analysis-of-lynx-ransomware/  
5. https://www.cisecurity.org/insights/blog/lynx-ransomware-pouncing-utilities  
6. https://www.halcyon.ai/attacks-news/emerging-threat-actor-lynx-ransomware  
7. https://www.ransomware.live/ransomnotes/lynx  
8. https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/