Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Lynx Ransomware

Lynx ransomware is a ransomware family first observed in 2024 and described as a new strain seen in active intrusions. Reporting in the provided content assesses it as part of the lineage that evolved from the INC Ransomware family, and later reporting states Sinobi is likely a rebrand or successor of Lynx. Technical comparison cited in the content found 63.2% function similarity between Lynx and Sinobi binaries, indicating substantial code overlap and likely shared tooling or source lineage.

The malware uses a hybrid cryptographic scheme, specifically AES-128 in CTR mode for file encryption and Curve25519 Donna/Curve25519 for asymmetric key exchange. In related reporting on the successor/rebrand activity, the ransomware is described as using per-file keys generated via CryptGenRandom, terminating processes associated with SQL Server, backup services, and Microsoft Exchange to unlock files for encryption, deleting Volume Shadow Copies, clearing the Recycle Bin, mounting hidden drives, and modifying the desktop wallpaper. The related family drops a README.txt ransom note with Tor-based negotiation instructions and a typical seven-day deadline.

Observed intrusion activity associated with Lynx includes deployment after initial access via valid compromised RDP credentials to an internet-exposed host. In the documented March 2025 intrusion, the actor laterally moved via RDP, created privileged look-alike accounts for persistence, performed network discovery with native tools and SoftPerfect Network Scanner, used NetExec for SMB enumeration/password spraying, collected data from network shares, compressed it with 7-Zip, exfiltrated it via temp.sh, deleted Veeam backup jobs, and then deployed Lynx ransomware across multiple backup and file servers via RDP. The payload in that case was named w.exe and was executed with arguments including "--dir E:\ --mode fast --verbose --noprint". Another mention states operators deleted backup jobs and deployed Lynx across multiple backup and file servers via RDP.

The content indicates Lynx is associated with double-extortion tradecraft through its assessed successor/rebrand, including data theft prior to encryption and pressure via Tor-based leak infrastructure. Targeting described in the provided material for the related operation includes medium-to-large organizations, especially where downtime is critical, with victims in manufacturing, healthcare, financial services, and education, and many victims in the United States. High-confidence observables directly mentioned for Lynx include the payload name w.exe in one intrusion and use of RDP for deployment; related lineage reporting also references generic payload names such as bin.exe and README.txt ransom notes.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

"Lynx employs several common attack vectors, including phishing emails which result in the download and installation of ransomware onto systems upon user interaction."

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

“Inside the ransomware, the readme.txt — aka the ransomware notification — is hidden using Base64 to decode the message.”

T1070.001Clear Windows Event LogsEvidence1

“The gangs… clear event logs to avoid detection and hinder recovery.”

Defense Impairment

1 technique
T1222File and Directory Permissions ModificationEvidence1

“If Lynx fails to write that file, it will try to get its ownership… obtain ‘SeTakeOwnership’ privilege and change file ownership… grant write privileges.”

Discovery

3 techniques
T1082System Information DiscoveryEvidence1

“When attackers gain access… they first gather system and infrastructure information…” / “After obtaining access, attackers performed additional information gathering…”

T1120Peripheral Device DiscoveryEvidence1

“Lynx… find all connected printers… and send ransom notes to all found printers.”

T1135Network Share DiscoveryEvidence1

Akira supports “--share-file… Provide network share path to encrypt” and Lynx “encrypt files on network shares.”

Lateral Movement

3 techniques
T1021.001Remote Desktop ProtocolEvidence1

“The intrusion began with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system… the threat actor moved laterally to a domain controller via RDP… deployed Lynx ransomware… across multiple backup and file servers via RDP.”

T1021.002SMB/Windows Admin SharesEvidence1

"high volume of attempted binds to the service control endpoint... suggesting SMB file share enumeration... repeated attempts to establish internal connections over destination port 445"

T1080Taint Shared ContentEvidence1

"MITRE ATT&CK Mapping ... Taint Shared Content - LATERAL MOVEMENT - T1080"

Collection

1 technique
T1074Data StagedEvidence1

“before encrypting files, Akira operators archived… victims files… Before this step is performed, attackers first exfiltrate files…”

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

“archived and exfiltrated victims files to their servers as a part of double-extortion scheme” / “attackers first exfiltrate files to the servers and then detonate the encryptor.”

T1567.002Exfiltration to Cloud StorageEvidence1

"The device then proceeded to upload large volumes of data to the external AWS S3 storage bucket... Usage of external cloud storage providers is a common tactic to avoid detection of exfiltration"

Impact

4 techniques
T1486Data Encrypted for ImpactEvidence3

“File Encryption: It encrypts files across the system, including network shares and drives (Encrypt network shares, Load hidden drives)… --encrypt-network.”

T1489Service StopEvidence2

“The ransomware attempts to kill various system processes and services… targets services that might hinder the encryption process, such as backup-related services… EnumDependentServicesW and ControlService.”

T1490Inhibit System RecoveryEvidence3

“A major target… deleting volume shadow copies… string ‘Successfully delete shadow copies from %c:’ suggests the use of vssadmin or other similar commands”

T1491DefacementEvidence1

“the ransom note is also written as a desktop wallpaper at the end of the encryption process.”

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

“When successful, they would disable security software.” / “if security software is found, Lynx will try to uninstall it.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
8 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
7 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app6 months ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
domain●●●●●●●●●●●●View more in app2 years ago
uri●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
socradar blogNews
Feb 17, 2026
Dark Web Profile: Sinobi Ransomware

RaaS ransomware family assessed in the content as the immediate predecessor/rebrand lineage for Sinobi, with substantial code similarity indicating shared tooling/source.

Read more
cyfirma newsNews
Feb 5, 2026
Weekly Intelligence Report - 06 February 2026 - CYFIRMA

Referenced as the ransomware family/group that Sinobi may have rebranded or splintered from; no additional technical details provided in the content.

Read more
dfir reportNews
Dec 17, 2025
Cat’s Got Your Files: Lynx Ransomware - The DFIR Report

Ransomware deployed manually via RDP. The payload ("w.exe") was dropped to servers and executed with arguments such as "--dir E:\ --mode fast --verbose --noprint" to encrypt targeted directories (noted as partial/fast encryption).

Read more
cyfirma newsNews
Dec 11, 2025
Weekly Intelligence Report - 12 December 2025 - CYFIRMA

Ransomware using hybrid cryptography (AES-128 CTR + Curve25519 key exchange) and double-extortion; described as having an affiliate platform/tooling consistent with RaaS operations.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching15

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.