Lynx ransomware, a newer ransomware-as-a-service (RaaS) that emerged around July may have stemmed from the INC Ransom source code that was reportedly sold in May, according to multiple analyses of the Lynx strain.
The Lynx gang maintains both clear web and dark web leak sites and has claimed more than 20 victims since it first appeared, according to analyses by Nextron Systems and Palo Alto Networks’ Unit 42, both published this week.
So far, the RaaS group has claimed victims in the retail, real estate, architecture, financial services and environmental services in the United States and United Kingdom, Unit 42 reported, and claims on its website that it does not target governmental organizations, hospitals or nonprofits.
Connections between Lynx and INC Ransom were previously drawn by Rapid7, which first analyzed the ransomware in September. Both Rapid7 and Unit 42 performed a binary diff analysis on the Lynx and INC Ransom strains, which showed an overall 48% similarity between the two versions, and a 70.8% similarity in functions specifically.
Rapid7 opined that the comparison was “not enough to prove fully that Lynx was derived from INC ransomware’s source code,” while Unit 42 stated the overlap in functions “strongly suggests that the developers of Lynx ransomware have borrowed and repurposed a considerable portion of the INC codebase.”
INC Ransom’s source code was purportedly put on sale in May for a price of $300,000, which included both Windows and Linux/ESXi versions of the ransomware. INC Ransom, which first appeared in August 2023, has claimed at least 64 victims and frequently targeted healthcare organizations, including McLaren Health Care and the City of Hope cancer hospital operator and clinical research organization.
While a Linux version of INC ransomware was included in the purported sale, no such version of the Lynx ransomware has yet been discovered. Unit 42 reported discovering both Lynx and INC ransomware samples in July and August 2024, and Lynx samples only in September 2024.
The Lynx ransomware itself incorporates several techniques, including termination of processes and services containing terms such as “sql,” “veeam,” “backup,” “java” and “exchange,” privilege escalation through enabling of “SeTakeOwnershipPrivilege” on the current process token, and deletion of shadow copies through DeviceIoControl, according to Nextron.
The ransomware encrypts files using AES-128 in CTR mode and Curve25519 Donna encryption algorithms, and also uses the Restart Manager API “RstrtMgr” to enable encryption of files that are currently in use or locked by other applications, Unit 42 reports. Encrypted files are given the file extension .lynx.
The Lynx ransom notes instructs victims to install the Tor browser to contact the threat actors and provides addresses for the group’s dark web sites along with a victim ID that can be used to log in to the leak site.
One unique feature of Lynx is that it includes a function to print the ransom note on any printer connected to the compromised system, Nextron Systems found. It first uses EnumPrintersW to retrieve a list of connected printers, then uses StartDocPrinterW and StartPagePrinter to start the printing process for the ransom note document before using WritePrinter to complete the print.
