Executive summary
Lynx is a RaaS that emerged in mid-2024 as a successor/rebrand of INC ransomware. Public analyses show major code overlap with INC, Windows-focused payloads written in C++, and a professional affiliate program with leak portals and victim chat. As of Jan 29, 2025, Lynx’s leak site listed ~96 victims (heavily U.S., manufacturing & construction). Recent reporting highlights MSP targeting and fresh victims through Aug 2025. Unit 42Fortinet+1IT Pro
What makes Lynx different (operator & tooling traits)
- Rebrand/lineage: Strong functional/code similarity to INC; Lynx is widely assessed as its successor. Unit 42
- Crypto: Files encrypted with AES-128 (CTR); keys derived using Curve25519 (Donna); intermittent/percent-based modes (fast/medium/slow/entire). Adds
.lynx/.LYNXextension and dropsREADME.txt. Unit 42Fortinet - Windows emphasis: Fortinet/Unit42 primarily observe Windows builds; no broad in-the-wild non-Windows samples yet, though Group-IB documented cross-platform binaries inside the affiliate kit (Linux/ESXi/ARM/MIPS) with Linux not commonly seen in the wild. FortinetSC Media
- Kill & tamper set: Attempts to stop processes/services containing
SQL,Veeam,Backup,Exchange,Java,Notepad; deletes shadow copies, empties recycle bin, changes wallpaper, and even prints the ransom note to nearby printers. Fortinet - Affiliate program: Structured panel (News, Companies, Chats, Leaks, Stuffers), white-glove victim comms, and ~80/20 affiliate split reported. SC MediaBlackpoint
Recent activity snapshot (2025)
- MSP focus: Multiple sources flag Akira & Lynx campaigns against MSPs in 2025, expanding blast radius to downstream clients. IT ProAcronis
- Fresh victim example: Hanson Chambers (Australia) listed on Lynx’s leak portal in late Aug 2025. Adelaide NowCyber Daily
Attack chain (MITRE ATT&CK highlights)
Initial access — TA0001
- Phishing + valid accounts (IAB-style access), malicious downloads; typical ransomware vectors. Unit 42darktrace.com
Execution / Priv-Esc / Defense evasion — TA0002/TA0004/TA0005
- Command-line switches enable percent-based encryption, silent mode (no notes/extensions), process/service kills, and safe-mode option. Fortinet
Discovery / Lateral movement — TA0007/TA0008
- Options to encrypt network shares and mount hidden drives; operators commonly pair with standard red-team tools (varies by affiliate). Fortinet
Exfiltration — TA0010
- Double extortion via leak portal (Tor/clear-web mirrors). Exfil tooling is affiliate-chosen. Unit 42
Impact — TA0040
- AES+Curve25519 hybrid scheme; adds
.lynx; note inREADME.txt; wallpaper change; optional printer spam. Unit 42Fortinet
Artifacts & hunting cues (behavior > hashes)
- File markers: new
.lynx/.LYNXextensions;README.txtdrops in many dirs; desktop wallpaper swap. Fortinet - Process/service kills: spikes on
sql/veeam/backup/exchange/javastrings; RestartManager used to close file handles. nextron-systems.com - Printer abuse: sudden print jobs with ransom text to multiple printers. Fortinet
- Leak portal intel: lynxblog[.]net & Tor portals referenced in public reports; treat URLs as intel indicators only (don’t browse from corporate networks). Unit 42
Detection quick wins
Endpoint/EDR
- Sequence analytics: VSS deletion → service/process kills → wallpaper change/README.txt → high-volume renames within minutes. Fortinet
- Detect RestartManager-style file-handle kills and percent-based writes (bursts of partial-file encryption). nextron-systems.com
Identity/edge
- High-signal alerts for new VPN/RDP sessions + anomalous geos; push phishing-resistant MFA (FIDO2/WebAuthn) for MSP consoles and admin portals. (MSP targeting noted in 2025.) IT Pro
Network
- Watch for new SFTP/MEGA/Tor egress from servers; SMB share enumeration + large write bursts; printer spamming to many IPs. Unit 42
Mitigation priorities (that actually reduce risk)
- Harden MSP/SaaS access paths (separate admin tenants, per-customer MFA, IP allowlists; monitor for console logins off-hours). IT Pro
- Backups: immutable/offline, tested restores; store snapshots outside domain trust; protect hypervisor & backup servers from RDP/SMB exposure. Fortinet
- Disable/limit printer sprawl on servers; restrict who can print to network printers; monitor mass print events. Fortinet
- EDR hardening: block untrusted drivers, audit service stop attempts on
SQL/Veeam/Exchangehosts; alert on shadow copy deletions. Fortinet - Tabletop for double extortion: pre-draft legal/PR responses; assume data is exposed even if decryption is obtained. Unit 42
Rapid response playbook (print-friendly)
- Contain: isolate affected hosts; disable suspicious VPN/RDP sessions; block Tor & file-sharing egress.
- Preserve: snapshot VMs; collect AD/EDR/VPN logs; mirror any exfil destinations.
- Hunt: search for
.lynx/README.txt, wallpaper changes, process/service kill strings, VSS deletions, and printer spam. Fortinet - Eradicate: rotate creds; remove persistence (new admins, services, scheduled tasks); patch exposed apps used for entry.
- Recover: stage restores on segmented VLANs; throttle egress; validate with canary files.
- Notify: regulators & law enforcement as required; share indicators with sector ISACs.
Sources / further reading
- Unit 42 (Oct 10, 2024) — Lynx as INC rebrand; AES-128 CTR + Curve25519; Windows/C++; leak/blog infrastructure. Unit 42
- Fortinet (Feb 14, 2025) — options, kill list,
.LYNX/README.txt, printer notes; 96 victims as of Jan 29, 2025 with sector/geography split. Fortinet - Nextron Systems (Oct 11, 2024) — deep dive incl. RestartManager use and Curve25519 → AES key derivation. nextron-systems.com
- SC Media / Group-IB (Jan 29, 2025) — affiliate panel features, cross-platform kit (Linux/ESXi/ARM/MIPS), ~80/20 split. SC Media
- Acronis TRU / ITPro (Aug 2025) — MSP targeting trend for Akira & Lynx. AcronisIT Pro
- Recent victim (Aug 27, 2025): Hanson Chambers listed on Lynx leak site (Australia). Adelaide NowCyber Daily
#CyberDudeBivash #Lynx #INC #RaaS #Ransomware #DoubleExtortion #MSPSecurity #MITREATTACK #DFIR #XDR #ThreatIntel
Cyberdudebivash 
Leave a comment