Lynx, a new ransomware variant, has been rising through the ranks of cyber threats since its initial release in mid-2024.
Operating under a Ransomware-as-a-Service (RaaS) model, Lynx targets organizations globally through double extortion campaigns, combining file encryption with systematic data theft.
Recent analyses by Darktrace and cybersecurity firms reveal its technical sophistication, including code reuse from the INC ransomware family and novel attack vectors designed to maximize operational disruption.
Lynx ransomware distinguishes itself through its hybrid encryption approach, leveraging AES-128 in CTR mode for symmetric encryption and Curve25519 Donna for asymmetric key exchange.
This dual-layer strategy ensures that even if one encryption component is compromised, the data remains inaccessible without the private key.
The malware appends the .LYNX extension to encrypted files and employs a partial encryption method, overwriting 1MB of every 6MB of a file to balance speed and effectiveness. Smaller files under 1MB are fully encrypted to prevent recovery.
The group’s command-line interface allows affiliates to customize attacks using flags such as –encrypt-network to target shared drives and –no-print to disable the ransomware’s unique feature of spamming ransom notes to connected printers.
These notes, typically named README.txt, are Base64-encoded and include payment instructions tied to Tor-based communication channels.
Infection Vectors and Lateral Movement
Initial access frequently occurs via phishing campaigns deploying malicious attachments or links.
Once inside a network, Lynx operators conduct lateral movement using compromised administrative credentials.
Darktrace observed widespread use of default usernames like admin and Administrator across NTLM and Kerberos authentication protocols, suggesting credential stuffing or brute-force attacks.
Attackers then exploit Server Message Block (SMB) vulnerabilities over port 445 to enumerate file shares and deploy encryption payloads.
In one December 2024 incident, the lateral movement involved Nmap-based network scanning, and anomalous bind attempts to service control endpoints, indicative of reconnaissance activity.
Post-compromise, the ransomware terminates processes related to backups and security tools using the DeviceIoControl function to delete Volume Shadow Copies (VSS), crippling restoration capabilities.
Lynx’s double extortion strategy involves exfiltrating sensitive data to cloud storage platforms like AWS S3 (e.g., wt-prod-euwest1-storm.s3.eu-west-1.amazonaws[.]com) and exfiltration tools such as WinSCP and rclone.
Researchers documented a case where 150 GiB of data was extracted from internal devices over port 3260 before being uploaded externally.
To obfuscate these transfers, attackers abuse legitimate remote management tools like AnyDesk, establishing connections to domains such as relay-48ce591e[.]net[.]anydesk[.]com to maintain persistence.
The group escalates pressure by gradually leaking stolen data (“drip-feeding”) and threatening public exposure. In January 2025, this tactic impacted Hunter Taubman Fischer & Li LLC, a U.S. law firm, where leaked client data exposed sensitive corporate litigation details.
Mitigation
Organizations are advised to:
- Enforce multi-factor authentication (MFA) for administrative accounts
- Monitor SMB traffic for anomalous read/write volumes
- Restrict outbound connections to uncommon cloud storage endpoints
- Segment networks to limit lateral movement.
The reuse of INC ransomware’s source code highlights a troubling trend: cybercriminals are increasingly repurposing existing malware to lower development barriers.
As Lynx continues to evolve, its blend of technical sophistication and psychological warfare ensures it remains a critical threat to global enterprises in 2025 and beyond.
