Lynx Ransomware Group Unveiled with Sophisticated Affiliate Program
Summary:
Lynx ransomware has emerged as a highly structured and sophisticated Ransomware-as-a-Service operation, demonstrating an industrial-scale approach to cybercrime. The group operates through a well-organized affiliate program, providing cybercriminals with access to a centralized panel that facilitates ransomware deployment, victim management, and data leak coordination. This panel is divided into multiple sections, including “News,” “Companies,” “Chats,” “Stuffers,” and “Leaks,” each serving distinct operational purposes. Affiliates are given the ability to configure victim profiles, generate customized ransomware payloads, and automate data-leak schedules, all within a streamlined interface. Lynx incentivizes participation with an aggressive 80/20 revenue split in favor of affiliates, ensuring strong recruitment and retention of skilled cybercriminals.
The ransomware itself is built for cross-platform compatibility, with binaries designed for Windows, Linux, and ESXi environments, covering a range of architectures such as ARM, MIPS, and PPC. This versatility allows affiliates to maximize their reach and effectiveness across diverse network infrastructures. Lynx provides multiple encryption modes—fast, medium, slow, and entire—allowing attackers to adjust the trade-off between speed and depth of file encryption. The ransomware employs Curve25519 Donna and AES-128 encryption, demonstrating a focus on robust cryptographic security. Additionally, a feature called “silent mode” enables affiliates to execute ransomware attacks stealthily, avoiding detection by traditional security measures.
Lynx also integrates double-extortion tactics, leveraging its dedicated leak site (DLS) to publicly expose stolen data if ransom payments are not made. This site serves as a pressure mechanism, coercing victims into compliance by threatening reputational damage and regulatory consequences. The “Leaks” section of the affiliate panel allows attackers to schedule publications, customize leaked company details, and manage ransom negotiations. Notably, Lynx operates a professionalized recruitment process, targeting experienced penetration testers and intrusion teams via dark web forums. Recruitment posts highlight the group’s capabilities, including advanced intrusion techniques, automated attack workflows, and a dedicated call center for harassing victims into submission.
Security Officer Comments:
Investigations into the Lynx RaaS group revealed that its ransomware closely resembles INC ransomware, with a 91% function match in its Linux ESXi variant, suggesting that Lynx may have purchased or adapted INC’s source code. The Windows version of Lynx ransomware has evolved to include command-line options that enhance operational flexibility, such as encryption speed adjustments, process termination, and network share encryption. The ransomware also manipulates Windows Restart Manager to terminate processes holding open file handles, ensuring a smooth encryption process. Post-infection, it deletes shadow copies using a low-level DeviceIoControl() call, effectively preventing victims from restoring data via volume snapshots.
The Linux variant of Lynx ransomware, while simpler in design, is optimized for ESXi environments. Attackers can specify files or directories for encryption and use multi-threading techniques to accelerate the process. The ransomware spawns encryption threads proportional to available CPU cores, optimizing efficiency while avoiding resource exhaustion. Additionally, the malware includes built-in commands to forcibly terminate virtual machines and delete snapshots, preventing quick recovery.
Suggested Corrections:
IOCs:
https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
Lynx ransomware has emerged as a highly structured and sophisticated Ransomware-as-a-Service operation, demonstrating an industrial-scale approach to cybercrime. The group operates through a well-organized affiliate program, providing cybercriminals with access to a centralized panel that facilitates ransomware deployment, victim management, and data leak coordination. This panel is divided into multiple sections, including “News,” “Companies,” “Chats,” “Stuffers,” and “Leaks,” each serving distinct operational purposes. Affiliates are given the ability to configure victim profiles, generate customized ransomware payloads, and automate data-leak schedules, all within a streamlined interface. Lynx incentivizes participation with an aggressive 80/20 revenue split in favor of affiliates, ensuring strong recruitment and retention of skilled cybercriminals.
The ransomware itself is built for cross-platform compatibility, with binaries designed for Windows, Linux, and ESXi environments, covering a range of architectures such as ARM, MIPS, and PPC. This versatility allows affiliates to maximize their reach and effectiveness across diverse network infrastructures. Lynx provides multiple encryption modes—fast, medium, slow, and entire—allowing attackers to adjust the trade-off between speed and depth of file encryption. The ransomware employs Curve25519 Donna and AES-128 encryption, demonstrating a focus on robust cryptographic security. Additionally, a feature called “silent mode” enables affiliates to execute ransomware attacks stealthily, avoiding detection by traditional security measures.
Lynx also integrates double-extortion tactics, leveraging its dedicated leak site (DLS) to publicly expose stolen data if ransom payments are not made. This site serves as a pressure mechanism, coercing victims into compliance by threatening reputational damage and regulatory consequences. The “Leaks” section of the affiliate panel allows attackers to schedule publications, customize leaked company details, and manage ransom negotiations. Notably, Lynx operates a professionalized recruitment process, targeting experienced penetration testers and intrusion teams via dark web forums. Recruitment posts highlight the group’s capabilities, including advanced intrusion techniques, automated attack workflows, and a dedicated call center for harassing victims into submission.
Security Officer Comments:
Investigations into the Lynx RaaS group revealed that its ransomware closely resembles INC ransomware, with a 91% function match in its Linux ESXi variant, suggesting that Lynx may have purchased or adapted INC’s source code. The Windows version of Lynx ransomware has evolved to include command-line options that enhance operational flexibility, such as encryption speed adjustments, process termination, and network share encryption. The ransomware also manipulates Windows Restart Manager to terminate processes holding open file handles, ensuring a smooth encryption process. Post-infection, it deletes shadow copies using a low-level DeviceIoControl() call, effectively preventing victims from restoring data via volume snapshots.
The Linux variant of Lynx ransomware, while simpler in design, is optimized for ESXi environments. Attackers can specify files or directories for encryption and use multi-threading techniques to accelerate the process. The ransomware spawns encryption threads proportional to available CPU cores, optimizing efficiency while avoiding resource exhaustion. Additionally, the malware includes built-in commands to forcibly terminate virtual machines and delete snapshots, preventing quick recovery.
Suggested Corrections:
IOCs:
https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
- Prioritize software updates: Regularly apply critical updates to mitigate vulnerabilities
- Implement multi-factor authentication (MFA): Use MFA, especially for privileged accounts, to add an extra layer of security
- Deploy advanced endpoint detection and response (EDR) solutions: Utilize behavioral detection to identify ransomware indicators on managed endpoints
- Regularly schedule backups: Maintain offline or network-segmented backups to protect against lateral movement by attackers
- Conduct security awareness training: Educate employees on phishing and suspicious activities to reduce human error
- Perform ongoing technical audits: Regularly assess infrastructure to uncover hidden weaknesses and ensure strict access control
- Avoid paying ransoms: Paying attackers encourages further extortion, instead contact experienced incident response teams
https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/