X-Industry

The first sample of the Lynx ransomware was made available on a publicly available file-scanning site in early July 2024, which coincides with other reports of its first availability.

Fortinet researchers found that the Lynx and INC ransomware, which first appeared in July 2023, look very similar.

However, INC offers fewer options at the execution phase. Researchers believe that INC ransomware is a predecessor to the Lynx ransomware. While INC ransomware is available for the Windows and ESXi platforms, analysts have not found a Lynx ransomware variant that affects non-Windows environments.
Figure 1: INC ransomware options

The screenshot above shows the different options and functions an INC ransomware sample can perform.
In contrast, the screenshot below shows what they are for a LYNX sample.

Figure 2: LYNX ransomware options
LYNX ransomware offers more granular control than INC. Like most ransomware, INC and LYNX encrypt files on victims' Windows machines. Both families use the same encryption methods. Furthermore, both families modify the desktop background to display the ransom note. At the same time, both try to send the ransom note to connected printers. These can be seen in the following screenshots.
Figure 3: INC ransomware

Figure 4: LYNX ransomware
Like other ransomware attacks, these demand a ransom to decrypt files via dropped ransom notes.
Infection Vector—Information on the infection vector used by the Lynx ransomware threat actor is unavailable. However, it is not likely to differ significantly from that of other ransomware groups.
Attack Method - When run, the Lynx ransomware takes the following line arguments:
Option Description
--file <filePath> Encrypt only specified file(s)
--dir <dirPath> Encrypt only specified directory/directories
--mode fast Encrypt 5% from the entire file
--mode medium Encrypt 15% from the entire file (default)
--mode slow Encrypt 25% from the entire file
--mode entire Encrypt 100% from the entire file
--Help print this message
--verbose Enable verbosity
--silent Enable silent encryption (no extension and notes will be added)
--stop-processes Try to stop processes via RestartManager
--encrypt-network Encrypt network shares
--load-drives Load hidden drives (will corrupt boot loader)
--hide-cmd Hide console window
--no-background Don't change the background image
--no-print Don't print notes on printers
--kill Kill processes/services
--safe-mode Enter safe-mode
The Lynx ransomware always kills processes containing the following strings to maximize damage:
• SQL
• Veeam
• Backup
• Exchange
• Java
• Notepad
It kills services that contain the following strings:
• SQL
• Veeam
• Backup
• Exchange
The Lynx ransomware then encrypts files on the compromised machines and adds a file extension “.LYNX” to the affected files.

Figure 5: Files encrypted by the Lynx ransomware
The ransomware avoids encrypting files in the following folders:
• Windows
• program files
• program files (x86)
• $RECYCLE.BIN
• Appdata
The Lynx ransomware avoids encrypting files with the following extensions:
• .exe
• .msi
• .dll
• .lynx
It also performs the following actions:
• empty the recycle bin
• mount drives for encryption
• delete shadow copies
• change the wallpaper to display the ransom note
• prints a ransom note if there are any available printers connected to the infected computer
The Lynx ransomware drops the following ransom note in “README.txt”:
Figure 6: The Lynx ransomware ransom note
The ransomware then replaces the desktop wallpaper with the same ransom message.
The oldest Lynx ransomware sample (SHA2: eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc) displays a slightly different ransom note. It contains different TOR sites and an attacker email address that was not found in other Lynx ransomware.
Figure 7: The ransom note of a Lynx ransomware sample with SHA2: eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
The ransom note directs victims to a chat site operated by the attacker on TOR, where victims must first register with a unique ID.

Figure 8: Signup screen of the Lynx ransomware’s TOR site
Victimology and Data Leak Site - The Lynx ransomware has a data leak site that posts victim information, including data stolen from victims. As of this writing (January 29, 2025), the data leak site lists 96 victims, with the latest publication date being January 20, 2025. The Fortinet investigation found the following about the Lynx ransomware victims listed on the data leak site:
• The victims are spread out over 16 different countries.
• Over 60% of victims are located in the United States.
• Canada and the United Kingdom come in second with about 8%.
• Manufacturing is the industry most affected by this, with more than 20%.
• Construction comes in second with just under 20%.

Note that victims who paid the ransom may have been removed from the data leak site, and as such, ahe Lynx ransomware. may affect additional companies
Separate from the aforementioned chat site, the Lynx ransomware group operates a data leak site on TOR.

Figure 9: Top page of the Lynx ransomware’s date leak site on TOR
The Lynx ransomware group claims they have a policy to exclude “governmental institutions, hospitals, or non-profit organizations as these sectors play vital roles in society.” However, some victims listed on the data leak site are organizations believed to be in the healthcare and energy sectors.
Figure 10: The Lynx ransomware's code of conduct listed on the TOR site
As with other ransomware groups, each victim has its data leak page with a description of the stolen documents, the revenue of the victim organization, and the date the data was leaked.
Figure 11: Individual page of a victim organization

IOCs
Lynx Ransomware File IOCs
SHA2 Note
31de5a766dca4eaae7b69f807ec06ae14d2ac48100e06a30e17cc9acccfd5193

Lynx ransomware
3e68e5742f998c5ba34c2130b2d89ca2a6c048feb6474bc81ff000e1eaed044e
432f549e9a2a76237133e9fe9b11fbb3d1a7e09904db5ccace29918e948529c6
468e3c2cb5b0bbc3004bbf5272f4ece5c979625f7623e6d71af5dc0929b89d6a
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412
571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b
589ff3a5741336fa7c98dbcef4e8aecea347ea0f349b9949c6a5f6cd9d821a23
80908a51e403efd47b1d3689c3fb9447d3fb962d691d856b8b97581eefc0c441
85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683
97c8f54d70e300c7d7e973c4b211da3c64c0f1c95770f663e04e35421dfb2ba0
9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896
b378b7ef0f906358eec595777a50f9bb5cc7bb6635e0f031d65b818a26bdc4ee
d5ca3e0e25d768769e4afda209aca1f563768dae79571a38e3070428f8adf031
eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49
f71fc818362b1465fc1deb361de36badc73ac4dd9e815153c9022f82c4062787

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122