Threat Intelligence Report January 14 - January 20 2025

Lynx Ransomware: INC Ransomware Revamped

In July 2024, Red Piranha researchers identified a ransomware strain named Lynx, believed to be a direct successor—or “rebrand”—of the INC ransomware family. Since its emergence, Lynx has actively targeted diverse industries, including retail, real estate, architecture, financial, and environmental services across the United States and the United Kingdom. While INC ransomware initially impacted both Windows and Linux platforms, only Windows-based Lynx samples have been confirmed so far, operating under a ransomware-as-a-service (RaaS) model.

A comparative analysis of the Lynx and INC ransomware binaries revealed an overall similarity score of approximately 48%, with a 70.8% overlap in functions. Although these shared elements strongly suggest code reuse, Red Piranha emphasises that the available evidence alone does not definitively prove Lynx’s direct derivation from INC’s source code. Nevertheless, the similarities point to critical overlapping capabilities and tactics.

Detailed Tactics, Techniques, and Procedures (TTPs)

• Phishing Emails
  Lynx operators frequently utilise phishing emails carrying malicious attachments or embedded links. Unsuspecting users who open these attachments or click the links unwittingly install the ransomware.
• Malicious Downloads
  Compromised websites, fake software updates, and malicious advertisements (malvertising) can also deliver Lynx onto target systems.

• Termination of Key Services
  Lynx terminates processes and services—particularly those related to backups, databases, and security solutions—to prevent interference with the encryption process.
• Use of RestartManager and System APIs
  System APIs (e.g., EnumDependentServicesW, ControlService) help enumerate and stop dependent services, ensuring maximum coverage during the attack.

• Backup Removal
  By employing commands like vssadmin, Lynx deletes volume shadow copies to remove potential restore points, making data recovery more difficult for victims.
• Success Logs
  Internal logging indicates successful deletion with messages such as “Successfully delete shadow copies from %c:,” confirming the operation.

• Robust Encryption Algorithms
  Lynx uses AES-128 (often in CTR mode) and Curve25519 to encrypt victim files. This dual-layered approach matches the sophistication seen in high-profile ransomware families.
• Selective or Broad Targeting
  The ransomware can encrypt entire drives, network shares, or specific directories and file types through command-line options like --file, --dir , and --encrypt-network.
• .lynx Extension & Ransom Note
  Once encrypted, files receive a “.lynx” extension. The ransom note is encoded with Base64 and instructs victims to access Tor-based chat portals to negotiate or obtain decryption keys.

• Data Exfiltration
  Before encrypting data, Lynx exfiltrates sensitive information, leveraging the threat of public disclosure to pressure victims into paying.
• Anonymous Negotiation Channels
  Multiple Tor mirrors provide resilient, decentralised communication points. Even if one mirror is disrupted, attackers can remain operational through backups.

• Affiliate-Driven Model
  Lynx’s RaaS structure enables affiliates—who join for a portion of the ransom proceeds—to deploy the malware. This approach broadens the ransomware’s reach and fuels constant evolution in tactics.

Indicators of Compromise (IOCs)

Red Piranha has identified several URLs and onion addresses linked to Lynx ransomware activity:

• Suspicious Domain:
  hxxp://lynxblog.net/
• Onion Sites (for login and disclosures):
  • hxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login
  • hxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures
• Ransom Note Tor Mirrors:
  • hxxp://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login
  • hxxp://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login
  • hxxp://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login
  • hxxp://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login

Security teams should monitor for network traffic or DNS queries associated with these URLs, as any activity might indicate a compromise.

IOCs

IP: lynxblog.net

176.53.146.99
185.185.70.215
185.254.158.169

Mitigations

1. Regular Backups and Offline Storage
2. Endpoint Protection and Monitoring
3. Network Segmentation
4. Patch Management and System Hardening
5. User Awareness and Phishing Prevention
6. Incident Response Preparedness

Ransomware Victims Worldwide

A recent ransomware analysis reveals that the United States remains the most heavily impacted nation, accounting for a staggering 44.54% of global incidents—underscoring its continued vulnerability to ransomware threats. Brazil follows with 5.04% of recorded attacks, highlighting a prominent threat in South America. Meanwhile, Canada, Spain, and Italy each contribute 4.2% of global incidents, reflecting persistent risks in North America and Europe alike. Australia stands at 3.36%, pointing to continued concerns in the Asia-Pacific region.

The UK, France, and Colombia each recorded 2.52% of attacks, while the Netherlands, Mexico, India, the Czech Republic, Germany, and Egypt each accounted for 1.68%. A broader range of countries—including Belgium, Thailand, Dominica, a portion of the United States reported simply as “USA,” Jamaica, Argentina, Uruguay, Indonesia, Jordan, Chile, Nigeria, an “Unknown” designation, Singapore, New Zealand, Ecuador, Malta, Mongolia, Poland, and Taiwan—each contributed 0.84% to the overall ransomware landscape.

This distribution illustrates the global and persistent nature of ransomware threats, with North America continuing to bear the brunt of attacks. The findings further emphasise the critical need for strengthened cybersecurity measures, proactive defence strategies, and heightened vigilance across all sectors to counter the unrelenting rise in ransomware incidents worldwide.