New Ransomware Group Lynx Emerges, Targets Multiple Sectors with Dual Extortion
On July 24, 2024, Rapid7 Labs released a report highlighting the emergence of the Lynx ransomware group. The group, active since July 2024, has already claimed over 20 victims across various sectors, using single and double extortion techniques.
Introduction
On July 24, 2024, Rapid7 Labs released a report highlighting the emergence of the Lynx ransomware group. The group, active since July 2024, has already claimed over 20 victims across various sectors, using single and double extortion techniques. According to the group’s press release, they claim to be “ethical” in their victim selection, avoiding governmental institutions, hospitals, and non-profits. However, their aggressive tactics and targeted extortion still pose a significant threat.
Lynx was first identified by cybersecurity researchers in July 2024. Since then, the group has quickly expanded its operations, striking multiple industries. The group operates similarly to many other ransomware organizations, demanding payment through a Tor-based portal and hosting a public blog and leaks page to pressure victims into compliance. Their declaration of ethical intentions raises skepticism, as their victims have still suffered data encryption and theft.
Lynx's rapid rise in the ransomware landscape aligns with a broader trend seen by Rapid7 Labs, which reported that 21 new or rebranded ransomware groups surfaced in the first half of 2024. Many of these groups are leveraging similar tactics, including the reuse or adaptation of previously known ransomware source code.
Report Overview
Lynx ransomware employs a series of highly effective techniques to maximize damage. Upon infecting a system, the ransomware begins by attempting to kill processes and services, especially those related to backup management. Using system APIs like EnumDependentServicesW
and ControlService
, it enumerates and halts dependent services to clear the way for data encryption.
A key focus of Lynx ransomware is the deletion of volume shadow copies. By using commands similar to vssadmin
, the ransomware ensures that backup files are destroyed, preventing easy restoration of the victim’s data. The string “Successfully delete shadow copies from %c:” was observed in the ransomware code, confirming this behavior.
For file encryption, Lynx targets local files, network shares, and even hidden drives. The ransomware can be configured to focus on specific files, directories, or network paths, increasing its precision. This functionality is represented by command-line options like --file
, --dir
, and --encrypt-network
, providing the operators flexibility in executing their attacks.
Underground discussions have suggested that Lynx may have obtained source code from a known group called INC ransomware. Rapid7 Labs conducted a binary comparison, revealing a 48% similarity between the two ransomware families, with function overlap reaching 70.8%. While the analysis indicates shared characteristics, it does not definitively confirm that Lynx was derived from INC’s code.
The connection between these groups highlights the potential for code reuse in the ransomware ecosystem. With such similarities, defenders need to remain vigilant in tracking not just new threats, but also potential rebrands and modifications of existing malware.
Insights and Analysis
Despite the group’s assertion of ethical targeting, Lynx’s methods clearly prioritize financial gain through coercion and extortion. Their use of public leaks and dual extortion tactics—where both data theft and encryption are leveraged—demonstrates their willingness to inflict damage on victims. The group’s choice to avoid specific sectors may be intended to bolster their public image, but it does little to mitigate the broader impact on businesses and organizations.
Organizations can protect themselves against Lynx and similar ransomware groups by implementing robust backup strategies that include offsite or immutable backups. Ensuring that shadow copies and backup services are protected from unauthorized deletion is critical in defending against ransomware.
Other defensive measures include regular patching, segmenting networks to limit lateral movement, and maintaining updated antivirus and anti-ransomware solutions. Finally, employee training on phishing and safe browsing habits remains a cornerstone of ransomware prevention.
Lynx is quickly becoming a group to watch in the evolving ransomware landscape. Their ethical claims are overshadowed by their aggressive tactics and focus on extortion. With similarities to INC ransomware, the potential for code sharing and evolution among these groups remains a critical concern for cybersecurity defenders. Staying vigilant and adopting strong preventative measures will be crucial in mitigating the risk posed by Lynx and other emerging ransomware threats.
Indicators of Compromise (IOCs)
Indicator | Type | Description |
---|---|---|
hxxp://lynxblog[.]net/ | URL | Lynx ransomware public blog and communication site. |
hxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/ | URL | Lynx ransomware victim portal for negotiation and payment. |
hxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/ | URL | Lynx ransomware leaks page used to pressure victims to pay. |
MITRE ATT&CK Techniques
Tactic | Technique | ID | Description |
---|---|---|---|
Impact | Data Encrypted for Impact | T1486 | Encrypting victim files to deny access and demand ransom. |
Impact | Inhibit System Recovery | T1490 | Deletion of volume shadow copies to prevent file recovery. |
Defense Evasion | Impair Defenses: Disable Tools | T1562.001 | Disabling or tampering with system services to hinder defenses like backups. |
Defense Evasion | Indicator Removal on Host: File Deletion | T1070.004 | Deletion of files and logs to cover tracks and remove evidence of the attack. |
Comments ()