EXECUTIVE SUMMARY
A financially motivated threat group operating a ransomware-as-a-service model has rebranded its operations under the name Lynx ransomware. This actor actively targets organizations in the United States and United Kingdom, specifically focusing on sectors such as retail, real estate, architecture, and financial services. While the group claims to avoid critical infrastructure like hospitals and government entities, their primary objective remains financial gain through double extortion tactics. By encrypting victim data and threatening to leak stolen information, the attackers apply maximum pressure to secure ransom payments from affected businesses.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A financially motivated threat group operating a ransomware-as-a-service model has rebranded its operations under the name Lynx ransomware. This actor actively targets organizations in the United States and United Kingdom, specifically focusing on sectors such as retail, real estate, architecture, and financial services. While the group claims to avoid critical infrastructure like hospitals and government entities, their primary objective remains financial gain through double extortion tactics. By encrypting victim data and threatening to leak stolen information, the attackers apply maximum pressure to secure ransom payments from affected businesses.[emaillocker id="1283"]
The attack chain typically begins with phishing emails or malicious downloads that deliver the payload to Windows systems. Once established, the malware searches for and terminates specific processes to ensure files can be modified, using system tools to access locked data. The ransomware then encrypts files using strong algorithms and appends a distinct extension while simultaneously deleting shadow copies and backup partitions to prevent easy recovery. Before locking the system, the actors exfiltrate sensitive data for extortion, maintaining control through a persistent presence that allows them to publish stolen information if demands are not met.
This threat poses significant risks due to its ability to destroy local backups and exfiltrate data, leaving victims with few options for recovery without paying. The malware's capability to encrypt open files and network shares makes it highly disruptive across an entire infrastructure. Defending against this campaign requires a multi-layered approach that includes regular, offline backups and strict patch management to close entry points. Organizations should also deploy robust endpoint monitoring to detect unusual process activity and enforce email filtering to block the initial phishing attempts that often serve as the infection vector.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1588.006 | Obtain Capabilities | Vulnerabilities |
| Initial Access | T1566 | Phishing | — |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Impact | T1490 | Inhibit System Recovery | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Discovery | T1083 | File and Directory Discovery | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The reports contain further technical details:
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/