Lynx

Lynx is a ransomware family and ransomware-as-a-service (RaaS) operation first observed in mid-2024. Reporting consistently describes it as using double extortion, combining file encryption with data exfiltration and leak-site pressure, although some reporting also notes single-extortion cases. Lynx is widely assessed to be closely related to, a successor to, or possibly a rebrand/spin-off of INC Ransom; multiple sources note significant overlap with INC, including a reported 48% source-code similarity and similar on-chain laundering behavior. Some reporting also notes TTP overlap with historical Nemty, Nemty X, Karma, and Nokoyawa operations.

Functionally, Lynx can encrypt local files, network shares, and mounted or hidden drives, append the .lynx extension to encrypted files, drop a readme.txt ransom note, and use victim portals, public blogs, leak pages, and Tor-based chat infrastructure for negotiations and coercion. Reported capabilities include terminating processes and services that may interfere with encryption, stopping dependent services via Windows APIs, deleting shadow copies and backup-related artifacts to hinder recovery, selectively encrypting specified files/directories/network shares via command-line options, setting a ransom note as wallpaper, and printing ransom notes to connected printers. Acronis reported the analyzed Lynx sample as a PE32 encryptor using AES with ECC-derived keying; Rapid7 reported Base64-obfuscated ransom-note content embedded in the binary and identified hardcoded infrastructure including lynxblog[.]net and multiple .onion victim/leak URLs.

Observed and reported initial access vectors include phishing emails, exploitation of public-facing or unpatched internet-facing systems, compromised or purchased credentials, and use by affiliates recruited on Russian-language underground forums. Reporting also places Lynx among ransomware families observed following an "EDR killer -> ransomware" sequence. CERT Intrinsec observed Lynx among ransomware families used in French intrusions in 2025, where ransomware incidents consistently involved data exfiltration before encryption, frequent targeting of hypervisors and backup infrastructure, and deployment from compromised infrastructure servers or domain controllers.

Victimology in the provided reporting spans multiple sectors, with explicit mentions of finance, architecture, manufacturing, logistics, retail, real estate, financial services, environmental services, healthcare, and industrial environments. Unit 42 reporting cited attacks on multiple US facilities between July and November 2024, including energy, oil, and gas-related victims. Additional cited victims or claimed victims include Electrica Group in Romania, Dodd Group in the UK defense-contractor ecosystem, TriMed, Empire Group, True World Group, Rose Acre Farms, and a Chattanooga CBS affiliate television station. Reporting also states Lynx has targeted organizations in the US and UK and has been active in Oceania and healthcare-related incidents.

Several sources characterize Lynx as Russian-speaking or Russia-linked, though the content does not provide definitive attribution. It is repeatedly described as a successor to INC or closely tied to INC rather than as a fully distinct lineage. High-confidence indicators mentioned in the content include the .lynx encrypted-file extension, readme.txt ransom note, the clearnet URL hxxp://lynxblog[.]net/, and the .onion URLs hxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login and hxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures, as well as a reported sample SHA-256 of 571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b.