Threat Advisory

Lynx Ransomware Emerges As INC Ransomware Successor

Threat: Ransomware
Targeted Region: United States, United Kingdom
Targeted Sector: Technology & IT, Retail & E-commerce
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

A financially motivated threat group operating a ransomware-as-a-service model has rebranded its operations under the name Lynx ransomware. This actor actively targets organizations in the United States and United Kingdom, specifically focusing on sectors such as retail, real estate, architecture, and financial services. While the group claims to avoid critical infrastructure like hospitals and government entities, their primary objective remains financial gain through double extortion tactics. By encrypting victim data and threatening to leak stolen information, the attackers apply maximum pressure to secure ransom payments from affected businesses.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

A financially motivated threat group operating a ransomware-as-a-service model has rebranded its operations under the name Lynx ransomware. This actor actively targets organizations in the United States and United Kingdom, specifically focusing on sectors such as retail, real estate, architecture, and financial services. While the group claims to avoid critical infrastructure like hospitals and government entities, their primary objective remains financial gain through double extortion tactics. By encrypting victim data and threatening to leak stolen information, the attackers apply maximum pressure to secure ransom payments from affected businesses.[emaillocker id="1283"]

The attack chain typically begins with phishing emails or malicious downloads that deliver the payload to Windows systems. Once established, the malware searches for and terminates specific processes to ensure files can be modified, using system tools to access locked data. The ransomware then encrypts files using strong algorithms and appends a distinct extension while simultaneously deleting shadow copies and backup partitions to prevent easy recovery. Before locking the system, the actors exfiltrate sensitive data for extortion, maintaining control through a persistent presence that allows them to publish stolen information if demands are not met.

This threat poses significant risks due to its ability to destroy local backups and exfiltrate data, leaving victims with few options for recovery without paying. The malware's capability to encrypt open files and network shares makes it highly disruptive across an entire infrastructure. Defending against this campaign requires a multi-layered approach that includes regular, offline backups and strict patch management to close entry points. Organizations should also deploy robust endpoint monitoring to detect unusual process activity and enforce email filtering to block the initial phishing attempts that often serve as the infection vector.

THREAT PROFILE:

Tactic Technique ID Technique Sub-technique
Resource Development T1588.006 Obtain Capabilities Vulnerabilities
Initial Access T1566 Phishing
Initial Access T1189 Drive-by Compromise
Execution T1059.003 Command and Scripting Interpreter Windows Command Shell
Impact T1490 Inhibit System Recovery
Defense Evasion T1562.001 Impair Defenses Disable or Modify Tools
Discovery T1083 File and Directory Discovery
Exfiltration T1041 Exfiltration Over C2 Channel
Impact T1486 Data Encrypted for Impact

 

REFERENCES:

The reports contain further technical details:
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

[/emaillocker]
crossmenu