CRITICALFortiBleed is actively compromising Fortinet firewalls. Is your domain exposed?
Run free scan
CyberXtron
Lynx Ransomware and Its Evolution from the INC Lineage
#CyberXtron#LYNX#INC

Lynx Ransomware and Its Evolution from the INC Lineage

Executive Summary

Lynx is a financially motivated Ransomware-as-a-Service (RaaS) operation that emerged in July 2024 and has established itself as a mature double-extortion threat through a structured affiliate model and well-developed operational infrastructure. Analysis of publicly disclosed victim data identified 414 victims across 48 countries, with the United States representing the most affected region, while Business Services and Manufacturing accounted for nearly 40% of observed victims. The group's operations employ diverse initial access techniques—including phishing, compromised credentials, RDP compromise, VPN exploitation, and credential abuse—followed by enterprise-wide reconnaissance, lateral movement, data exfiltration, and ransomware deployment supported by dedicated Tor-based negotiation and leak infrastructure. Observed infrastructure overlaps also indicate a potential operational relationship between the FortiBleed credential harvesting campaign and the broader Lynx/INC ransomware ecosystem, highlighting the possible integration of large-scale credential harvesting with enterprise ransomware operations. The group's operational maturity, technical flexibility, and global targeting demonstrate its continued capability to conduct sophisticated ransomware campaigns against organizations across multiple sectors and geographic regions.

Threat Profile

 

Group Overview

Lynx is a financially motivated Ransomware-as-a-Service (RaaS) operation that emerged in July 2024, rapidly establishing itself as an active threat within the ransomware ecosystem. The group conducts attacks using a double-extortion model, combining data theft with file encryption to maximize pressure during ransom negotiations. Organizations that refuse to pay face both operational disruption and the public disclosure of stolen information through the group's dedicated leak platform. 

Lynx is widely assessed to represent a rebranding or operational evolution of the INC ransomware operation. The group's emergence closely followed the decline of INC, while substantial similarities in encryption routines, execution logic, command-line functionality, malware architecture, and operational infrastructure indicate a strong technical relationship between the two ransomware families. The reported circulation of the INC ransomware source code on underground forums prior to Lynx's emergence further supports the possibility that components of the original codebase were adapted or repurposed. Although the precise transition cannot be independently verified, the observed technical overlap indicates that Lynx evolved into a more mature RaaS ecosystem with expanded affiliate capabilities, centralized infrastructure, and enhanced extortion operations.

Lynx publicly portrays itself as an "ethical" ransomware operation, claiming to avoid targeting government institutions, healthcare providers, churches, and non-profit organizations. However, publicly disclosed victims include organizations associated with several of these sectors, demonstrating that observed targeting activity does not consistently align with the group's stated operating principles. Like many financially motivated ransomware groups, victim selection appears to be driven primarily by access opportunities, the value of compromised data, and the potential for successful extortion rather than adherence to publicly declared targeting restrictions.

Operational Characteristics

Lynx operates through a closed Ransomware-as-a-Service (RaaS) affiliate model, in which the core operators maintain centralized control over ransomware development, leak infrastructure, negotiation platforms, and supporting operational services, while affiliates are responsible for obtaining initial access, conducting intrusions, deploying the ransomware payload, and negotiating with victims. The affiliate program reportedly provides participants with approximately 80% of ransom proceeds, together with access to ransomware builders, cross-platform payloads, victim management portals, and supporting infrastructure designed to facilitate coordinated ransomware operations.

 

 

Affiliate recruitment is conducted through Russian-language underground forums, including the RAMP cybercrime forum, using a selective vetting process targeting experienced intrusion operators. Recruitment guidance indicates that operators located within CIS countries and China are excluded from participation. The operation emphasizes double-extortion, combining data theft with file encryption while leveraging structured negotiation workflows, automated operational capabilities, and a mature affiliate ecosystem to support enterprise-scale ransomware campaigns.

Victimology

Overview

Metric 

Value 

Observed Victims 

414+ 

Countries Affected 

48 

First Observed Activity 

July 2024 

Operational Status 

Active 

 

Analysis of publicly disclosed leak-site data identified 414 victims across 48 countriesindicating sustained operational activity since Lynx emerged in July 2024. While leak-site disclosures provide valuable insight into the group's targeting patterns, they represent only publicly announced incidents and are unlikely to reflect the full scale of operations, as organizations that negotiate, recover privately, or otherwise resolve incidents may never appear on public disclosure platforms.

The disclosed victims range from small and medium-sized enterprises (SMEs) to large multinational organizations operating across commercial, industrial, and critical infrastructure sectors. This diversity suggests that Lynx prioritizes organizations offering high extortion potential rather than targeting specific organization sizes. Furthermore, the consistent publication of new victims, structured leak announcements, and staged disclosure of stolen information reflects a mature and well-organized Ransomware-as-a-Service (RaaS) operation supported by multiple active affiliates rather than opportunistic ransomware campaigns.

Geographical Distribution

Analysis of observed victims indicates that North America remains the primary region targeted by Lynx operations, with the United States accounting for 221 publicly disclosed victims, significantly exceeding all other affected countries. As illustrated in below image, the United Kingdom (28) and Canada (22) represent the next most targeted countries, followed by Germany (17)Australia (16)France (10)Italy (9)Singapore (8), and Spain and Japan with 7 victims each. This distribution demonstrates a clear concentration of attacks against organizations operating in North America and Western Europe, while also reflecting continued activity across the Asia-Pacific region.

 

Lynx has also targeted organizations across a broader international landscape. Additional publicly disclosed victims were identified in Sweden (6)India (5)Taiwan (4)Austria (4)Brazil (4), and Thailand (4). Smaller numbers of victims were observed in Romania (3) and the United Arab Emirates (3), while Chile, Switzerland, Paraguay, Saudi Arabia, Dominica, and Costa Rica each recorded two victims. The remaining affected countries—including Poland, Ethiopia, Colombia, Finland, Peru, Hong Kong, Argentina, Kenya, Israel, Mexico, Puerto Rico, Morocco, the Czech Republic, Jamaica, Norway, South Africa, Portugal, Malta, China, Malaysia, the Netherlands, South Korea, Belgium, and Venezuela—each accounted for a single publicly disclosed victim, highlighting the group's extensive global reach.

The concentration of victims within North America and Western Europe suggests a preference for organizations operating in mature economies with extensive digital infrastructure and a greater likelihood of successful extortion. Nevertheless, the group's presence across 48 countries demonstrates that its operations are not geographically constrained and are capable of targeting organizations worldwide. The observed victim distribution aligns more closely with opportunistic targeting based on enterprise exposure and financial value than with any specific geopolitical objective.

Sector Targeting

 

Analysis of publicly disclosed victims indicates that Business Services (20.05%) and Manufacturing (19.32%) represent the two most frequently targeted sectors, together accounting for nearly 40% of all observed victims. As illustrated in above imageTechnology (9.90%) ranks as the third most affected sector, followed by Transportation & Logistics (7.00%) and Construction (7.00%)Additional targeting was observed across Consumer Services (5.80%)Financial Services (5.31%), and Agriculture & Food Production (5.31%)indicating a sustained focus on industries where operational disruption, supply chain dependencies, and commercially sensitive information can significantly increase extortion pressure.

Beyond these highly targeted industries, Lynx has also compromised organizations operating in Healthcare (4.83%)Hospitality & Tourism (4.11%)Energy (3.62%)Public Sector (3.38%)Education (2.66%), and Telecommunications (1.69%). The broad distribution of victims across both public and private sectors demonstrates that the group does not limit its operations to a specific industry, instead pursuing organizations that present accessible attack surfaces, valuable corporate data, and a higher likelihood of successful ransom negotiations.

The observed sector distribution reflects a financially motivated targeting strategy focused on organizations whose operational dependence and sensitive business information provide substantial leverage during double-extortion campaigns. Notably, the presence of victims within HealthcareEnergy, and the Public Sector contrasts with Lynx's public claims that it avoids targeting socially important institutions, suggesting that affiliate-driven targeting decisions or operational realities may not consistently align with the restrictions outlined in the group's public statements.

Technical Analysis

Initial Access and Foothold

Observed intrusion activity indicates that Lynx affiliates employ multiple techniques to obtain initial access, including spear-phishing campaigns, compromised credentials, credential stuffing, Remote Desktop Protocol (RDP) compromise, exploitation of internet-facing applications, and vulnerable VPN services. Compromised credentials are also obtained through infostealer logs, underground credential marketplaces, and Initial Access Brokers (IABs), providing affiliates with authenticated access to enterprise environments. The diversity of these access vectors demonstrates a flexible intrusion strategy that enables affiliates to adapt their operations according to the target's exposed infrastructure and security posture rather than relying on a single compromise method.

Following successful access, affiliates typically perform internal reconnaissance to identify privileged accounts, domain controllers, backup infrastructure, virtualization platforms, and file servers before deploying ransomware. The use of legitimate credentials and native administrative tools allows operators to blend malicious activity with normal system administration, reducing the likelihood of early detection while facilitating coordinated ransomware deployment across enterprise environments.

Privilege Escalation, Defense Evasion, and Persistence

Assessment of observed tradecraft suggests that Lynx primarily relies on administrative privileges obtained during the initial compromise rather than exploiting dedicated privilege escalation vulnerabilities. The group's operational workflow also demonstrates the use of SeTakeOwnershipPrivilege token manipulation and, in certain campaigns, Bring Your Own Vulnerable Driver (BYOVD) techniques to weaken endpoint security controls prior to ransomware deployment.

To evade detection and complicate recovery efforts, the ransomware terminates services associated with antivirus products, backup software, Microsoft SQL Server, Microsoft Exchange, Java applications, and Veeam before deleting Volume Shadow Copies and other recovery artifacts. Analysis of observed campaigns has not identified a standardized persistence mechanism, suggesting that affiliates generally maintain access through compromised credentials, existing remote administration channels, and previously established enterprise access until ransomware deployment is complete.

Lateral Movement, Exfiltration, and Encryption

Lateral Movement

Lynx affiliates perform internal reconnaissance to identify high-value systems, shared storage, virtualization infrastructure, and backup repositories before expanding access using compromised administrative credentials. This reconnaissance enables operators to identify critical assets and coordinate ransomware deployment across the victim environment.

Rather than relying extensively on proprietary malware, affiliates primarily abuse legitimate Windows administrative utilities and native system functionality to facilitate lateral movement while minimizing operational visibility. The use of trusted administrative tools allows malicious activity to blend with legitimate administrative operations, increasing the difficulty of detection and incident response.

Attack Sequence

Lynx operations generally follow a structured attack lifecycle consisting of the following stages:

  • Initial Access 
  • Credential Validation 
  • Internal Reconnaissance 
  • Privilege Expansion 
  • Lateral Movement 
  • Data Collection 
  • Data Exfiltration 
  • Security Control Disruption 
  • Shadow Copy Deletion 
  • Ransomware Deployment 
  • File Encryption 
  • Victim Notification 
  • Negotiation and Extortion 

Individual stages may be adapted according to the victim environment and operational objectives; however, the overall attack lifecycle remains structured and consistent with enterprise-focused ransomware operations.

Data Exfiltration

Data theft is a core component of Lynx operations and typically precedes file encryption. Affiliates exfiltrate financial records, intellectual property, contractual documents, internal communications, customer information, and other sensitive business data before directing victims to dedicated Tor-based negotiation portals for ransom discussions.

Organizations that refuse to negotiate risk the public disclosure of stolen information through the group's dedicated leak site. The extortion process commonly follows a staged disclosure model, in which limited samples of stolen data are published initially, followed by progressively larger releases to maintain pressure throughout negotiations and increase the likelihood of ransom payment.

Encryption 

Lynx supports multiple encryption modes—including fast, medium, slow, and entire—allowing affiliates to customize ransomware deployment according to operational objectives. Technical analysis identifies the use of AES-128 (CTR mode) for file encryption together with Curve25519 Donna for key exchange. The ransomware supports selective encryption of files, directories, network shares, hidden drives, and virtualized environments, while encrypted files are appended with the .lynx extension.

During execution, the ransomware terminates critical services associated with antivirus products, backup software, SQL Server, Microsoft Exchange, Java applications, and Veeam before deleting Volume Shadow Copies and other recovery artifacts. It also utilizes the Windows Restart Manager API to encrypt files that are actively in use, reducing file-locking issues during execution. Linux and ESXi variants can terminate running virtual machines and remove snapshots prior to encryption, increasing the operational impact on virtualized environments. Upon completion, ransom notes are written throughout the compromised environment, desktop wallpapers may be modified, and connected printers can automatically receive printed ransom demands to maximize victim awareness and extortion pressure.

FortiBleed and Lynx Operational Link

 

 

FortiBleed Scanner

Is your Fortinet firewall in the breach?

Attackers are quietly stealing working admin passwords to Fortinet firewalls and VPNs — and selling access before anyone notices. Enter your domain to see if yours is already exposed.

CLICK THE LINK BELOW

The FortiBleed credential harvesting operation demonstrates a large-scale infrastructure designed to automate the validation of usernames and passwords collected from internet-facing Fortinet FortiGate appliances. The observed infrastructure contains enterprise credentials spanning multiple organizations and geographic regions, indicating a systematic credential validation process rather than opportunistic credential collection.

Further observations identify operational overlaps between the FortiBleed infrastructure and the broader Lynx/INC ransomware ecosystem. Investigations identified an operator simultaneously authenticated to both the INC Ransom and Lynx negotiation panels using infrastructure associated with the credential harvesting operation. Independent comparison of victim datasets also identified overlapping organizations between FortiBleed infrastructure and an exposed INC-linked directory, indicating that some organizations targeted during credential harvesting were also associated with ransomware activity.

If these observations reflect a shared operational environment, the FortiBleed campaign may illustrate an evolution in ransomware operations by integrating large-scale credential harvesting into the initial access phase. Rather than relying solely on phishing campaigns or exploitation of internet-facing vulnerabilities, validated VPN credentials could provide affiliates with authenticated enterprise access, enabling more efficient lateral movement and ransomware deployment. While the observed infrastructure overlaps and victim correlations suggest a potential operational relationship with the Lynx/INC ecosystem, the precise nature and extent of this association remain unconfirmed.

(This is an ongoing and developing story that CyberXtron™ will update as new information emerges from our monitoring and analysis.)

Command and Control (C2)

Lynx primarily utilizes Tor-hosted infrastructure to facilitate victim communication, ransom negotiations, and data leak operations instead of relying on traditional malware command-and-control (C2) channels. The infrastructure incorporates multiple hidden services and negotiation mirrors, providing redundancy and maintaining communication continuity should individual services become unavailable. Operational updates and additional negotiation mirror addresses are also distributed through the platform to ensure continued access to communication services.

Following ransomware deployment, victims are directed to dedicated Tor-based negotiation portals using unique victim identifiers, where affiliates manage ransom discussions, payment instructions, and data disclosure timelines. This centralized communication model streamlines the extortion process while reducing dependence on conventional C2 infrastructure and enhancing the operational resilience of the group's communication ecosystem.

Communication and Platform Analysis

Lynx operates a dedicated Tor-based communication platform that enables encrypted interaction between affiliates and victims throughout the extortion lifecycle. The platform supports victim registration, negotiation management, payment coordination, controlled publication of stolen data, and affiliate operations, providing a centralized environment for managing multiple ransomware incidents. Supporting infrastructure also enables affiliates to access ransomware payloads, victim management functions, and publication scheduling through dedicated operational panels.

 

 

The platform features a structured interface comprising NewsLeaks, and Report modules. The News section publishes operational announcements, policy statements, and updated negotiation mirror addresses to maintain service availability, while the Leaks section publicly discloses non-compliant victims and supports staged data publication as part of the group's double-extortion strategy. The Report module provides an additional communication function that may support affiliate operations or victim management. Victims are directed to dedicated Tor negotiation portals using unique identifiers, and multiple mirror addresses embedded within ransom notes improve the resilience and availability of the group's communication infrastructure.

Negotiation Behavior

Lynx utilizes a structured negotiation process supported through dedicated Tor-based negotiation portals rather than relying solely on anonymous email communication. Following encryption, victims are instructed to authenticate using a unique victim identifier before communicating directly with affiliates regarding ransom demands, payment instructions, and data recovery procedures.

The platform's published Press Release presents the group's self-described operating principles, claiming to avoid targeting government institutions, hospitals, and non-profit organizations while portraying its operations as financially motivated and negotiation-focused. However, publicly disclosed victims include organizations associated with several of these sectors, indicating that observed targeting activity does not consistently align with the group's stated code of conduct. Combined with the staged publication of stolen data through its leak platform, the negotiation process reinforces Lynx's double-extortion strategy by maintaining sustained pressure on victims throughout ransom negotiations.

Leak Site and Infrastructure Analysis

Direct review of the LYNX Tor leak site confirms a structured three-section public/affiliate interface:

  • News — hosts formal press releases (e.g., the July 24, 2024 "ethical" positioning statement) framing the group's operations as a controlled, negotiation-first, low-collateral-damage enterprise. The statement emphasizes financial motivation, explicit avoidance commitments toward government, hospital, and non-profit sectors, and a stated preference for dialogue and resolution over disruption.

  • Leaks — displays a grid of victim entries, each with organization name, publication date, a short auto-generated description of the victim's business, category tags (EncryptedProof), and a running view counter — functioning simultaneously as a shame board and a credibility/social-proof mechanism to pressure non-paying victims. Individual entries range from small regional businesses to larger institutional organizations, with view counts in the tens of thousands for higher-profile victims.

  • Report — a public intake form (name, email, description, CAPTCHA) allowing third parties to submit tips or reports to the group, an unusual addition suggesting LYNX solicits external target intelligence or reconnaissance contributions from outside its own affiliate base.

Ransom Note

 

 

 

 

The Lynx ransom note serves as the primary communication mechanism between affiliates and victims while supporting the group's double-extortion workflow. The note informs victims that their data has been encrypted and exfiltrated, provides a unique victim identifier for authentication, and directs them to a dedicated Tor-based negotiation portal for further communication. 

To improve communication reliability, the ransom note includes both primary and mirror Tor addresses, together with an alternative Proton Mail contact. This multi-channel communication approach provides redundancy within the group's negotiation infrastructure, allowing victims to maintain contact even if individual communication channels become unavailable. 

 

MITRE ATT&CK

Tactic 

Technique ID 

Technique Name 

Initial Access 

T1078 

Valid Accounts 

Initial Access 

T1566.001 

Phishing: Spearphishing Attachment 

Initial Access 

T1133 

External Remote Services 

Initial Access 

T1190 

Exploit Public-Facing Application 

Execution 

T1059.001 

Command and Scripting Interpreter: PowerShell 

Execution 

T1204.002 

User Execution: Malicious File 

Stealth 

T1036 

Masquerading 

Stealth 

T1027.013 

Obfuscated Files or Information: Encrypted/Encoded File 

Stealth 

T1564.001 

Hidden Artifacts 

Stealth 

T1134 

Access Token Manipulation 

Defense Impairment 

T1685 

Disable or Modify Tools 

Privilege Escalation 

T1134 

Access Token Manipulation 

Privilege Escalation 

T1068 

Exploitation for Privilege Escalation 

Credential Access 

T1110.004 

Brute Force: Credential Stuffing 

Credential Access 

T1003.001 

OS Credential Dumping: LSASS Memory 

Credential Access 

T1552 

Unsecured Credentials 

Credential Access / Discovery 

T1040 

Network Sniffing 

Discovery 

T1012 

Query Registry 

Discovery 

T1082 

System Information Discovery 

Discovery 

T1057 

Process Discovery 

Discovery 

T1049 

System Network Connections Discovery 

Discovery 

T1018 

Remote System Discovery 

Discovery 

T1083 

File and Directory Discovery 

Lateral Movement 

T1021.001 

Remote Services: RDP 

Lateral Movement 

T1021.002 

Remote Services: SMB/Windows Admin Shares 

Collection 

T1074.001 

Data Staged: Local Data Staging 

 

Indicators of Compromise (IOCs)

Indicator Type 

Value 

IP 

85[.]11.187.8/24 

IP 

79[.]141.172.131 

 

Email 

Martina[.]lestariid1898@proton[.]me 

DOMAIN 

Hxxp[://]lynxblog[.]net 

DOMAIN 

cloud-front-gateway[.]cc 

DOMAIN 

confidential-privileged[.]com 

DOMAIN 

email-gateway-host[.]cc 

DOMAIN 

encrypted-mail-gateway[.]cc 

DOMAIN 

encrypted-mail-server[.]com 

DOMAIN 

encrypted-network[.]cc 

DOMAIN 

encrypted-smtp-transport[.]cc 

DOMAIN 

eu-1-host-protection[.]cc 

DOMAIN 

fortinet-gateway[.]cc 

DOMAIN 

fortinet-host-protection[.]cc 

DOMAIN 

fortinet-host[.]cc 

DOMAIN 

fortinet-protection[.]cc 

DOMAIN 

fortinet-server[.]cc 

DOMAIN 

mail-transport-agent[.]cc 

DOMAIN 

mail-transport-gateway[.]cc 

DOMAIN 

mail-transport-host[.]cc 

DOMAIN 

mail-transport-protection[.]cc 

DOMAIN 

mx-gateway-host[.]cc 

SHA256 

07b36c1660deb223749a8ac151676d8924bc13aa59e6712a3c14a2df5237264a 

SHA256 

517288e12c05a92e483e6d80b9136c19bc58c46851720680bb6d1b7016034c37 

SHA256 

f69634bd67aa1c1dca9a75555f06ba028b400fdf6b2ba8c3be3637fbaa408b04 

SHA256 

9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896 

 

SHA256 

 

31de5a766dca4eaae7b69f807ec06ae14d2ac48100e06a30e17cc9acccfd5193 

SHA256 

 

3e68e5742f998c5ba34c2130b2d89ca2a6c048feb6474bc81ff000e1eaed044e 

SHA256 

 

432f549e9a2a76237133e9fe9b11fbb3d1a7e09904db5ccace29918e948529c6 

SHA256 

 

468e3c2cb5b0bbc3004bbf5272f4ece5c979625f7623e6d71af5dc0929b89d6a 

SHA256 

 

4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412 

SHA256 

 

571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b 

SHA256 

 

589ff3a5741336fa7c98dbcef4e8aecea347ea0f349b9949c6a5f6cd9d821a23 

SHA256 

 

80908a51e403efd47b1d3689c3fb9447d3fb962d691d856b8b97581eefc0c441 

SHA256 

 

85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683 

SHA256 

 

97c8f54d70e300c7d7e973c4b211da3c64c0f1c95770f663e04e35421dfb2ba0 

SHA256 

 

9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896 

SHA256 

 

b378b7ef0f906358eec595777a50f9bb5cc7bb6635e0f031d65b818a26bdc4ee 

SHA256 

 

d5ca3e0e25d768769e4afda209aca1f563768dae79571a38e3070428f8adf031 

SHA256 

 

d5ca3e0e25d768769e4afda209aca1f563768dae79571a38e3070428f8adf031 

SHA256 

 

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc 

SHA256 

 

ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49 

SHA256 

 

f71fc818362b1465fc1deb361de36badc73ac4dd9e815153c9022f82c4062787 

SHA256 

  

09c5ff735d3d7b8c47b4df7de35e1c72b530b2c2566628bc29aaa54feb4d89f4 

MD5 

0e521e0452f113cdf8b5c2fa6580db1f 

MD5 

146d350fd6271b4411714c630d8cda87 

MD5 

14a0ecf45aa72adb2b1f2ccca99f6faa 

MD5 

2348b069647af0a714ae1e005f73b522 

MD5 

30656c737338818bee8cc3591e3f3dcc 

MD5 

31a77e0d1c1b91eebec1f7cdcc1ab8b8 

MD5 

3a39bcd9fc840b4e13042f916d9eb39a 

MD5 

571684f28ce1cf4d8236dbd46ef6f7f0 

MD5 

57f45c0738af9cd49c61984ea99f83ca 

MD5 

65c0c7c9fe6bc1d5296447aae6c6c14c 

MD5 

67a44a38cc36becd6e2e9c20c27fd9ad 

MD5 

74ae58a716aa834949388ee1574788e0 

MD5 

7e851829ee37bc0cf65a268d1d1baa7a 

MD5 

a20886a5b378624d16972db66bd4e7e1 

MD5 

b1d81e8bbecccc547645d17395538a2d 

MD5 

b47cdcdc179c5949ce18f4d161603901 

MD5 

d972bbbb3edb0e5ab5751b911f3dda17 

MD5 

f16238836909d07f86154c5ccbade96a 

MD5 

ff458208c49836cdec92f0a4a7ba6afd 

DLS 

hxxp[://]lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid[.]onion/ 

Mitigations & Recommendations

1. Initial Access Hardening

  • Enforce Multi-Factor Authentication (MFA) across all VPN, RDP, and externally accessible administrative services. 
  • Regularly patch internet-facing applications, VPN appliances, firewalls, and remote access infrastructure. 
  • Restrict or disable unnecessary RDP exposure and secure remote administration interfaces. 
  • Continuously discover exposed assets, shadow IT, and external attack surface risks using CyberXTron ShadowSpot. 

2. Identity & Credential Protection

  • Implement the Principle of Least Privilege (PoLP) across user and administrative accounts. 
  • Deploy Privileged Access Management (PAM) to protect high-value administrative credentials. 
  • Monitor authentication activity for anomalous logins, credential abuse, and privilege escalation using XTron AI. 

3. Network Security & Lateral Movement Control

  • Segment enterprise networks to isolate critical servers, backup infrastructure, and sensitive business systems. 
  • Restrict SMB, RDP, PowerShell Remoting, and other administrative protocols between network segments. 
  • Monitor internal reconnaissance and lateral movement activity for abnormal administrative behavior. 

4. Endpoint Protection & Threat Monitoring

  • Deploy EDR/XDR solutions capable of detecting ransomware behavior through behavioral analytics. 
  • Monitor attempts to terminate security software, backup services, and critical business applications. 
  • Detect suspicious command execution, PowerShell activity, and shadow copy deletion attempts. 

5. Data Protection & Exfiltration Prevention

  • Monitor outbound network traffic for abnormal data transfers and connections to anonymization services such as Tor
  • Implement Data Loss Prevention (DLP) controls to detect and prevent unauthorized movement of sensitive information. 
  • Classify and secure critical business data to reduce exposure during double-extortion incidents. 
  • Monitor leaked credentials, exposed documents, and stolen organizational data using CyberXTron DarkFlash. 

6. External Exposure & Leak Monitoring

  • Continuously monitor ransomware leak sites and underground forums for organizational data exposure. 
  • Detect brand impersonation, fraudulent domains, and leaked digital assets using CyberXTron BrandSafe. 
  • Identify exposed VPN services, internet-facing assets, and misconfigured infrastructure using CyberXTron ShadowSpot. 
  • Track emerging Lynx infrastructure, indicators of compromise, and threat activity through continuous threat intelligence monitoring. 

7. Backup & Recovery Strategy

  • Maintain offline and immutable backups of critical systems and business data. 
  • Isolate backup infrastructure from production environments using dedicated administrative controls. 
  • Regularly test backup restoration procedures to validate recovery readiness. 
  • Monitor backup environments for unauthorized access and recovery mechanism tampering. 

8. Incident Response & Extortion Readiness

  • Develop ransomware-specific incident response playbooks covering encryption, data theft, and extortion scenarios. 
  • Establish procedures for rapid isolation and containment of compromised systems. 
  • Conduct proactive threat hunting across endpoint, identity, network, and cloud environments. 

Conclusion

Lynx has established itself as a capable and well-organized Ransomware-as-a-Service (RaaS) operation, combining structured affiliate management, mature extortion infrastructure, and flexible intrusion capabilities to target organizations across multiple industries and regions. Since emerging in July 2024, the group has demonstrated sustained operational activity, with publicly disclosed victims spanning 48 countries and a broad range of commercial, industrial, and critical infrastructure sectors. Its ability to combine credential abuse, enterprise reconnaissance, data exfiltration, and customized ransomware deployment reflects a level of operational maturity comparable to other established ransomware ecosystems.

The group's continued development, together with the potential operational relationship between the FortiBleed credential harvesting campaign and the broader Lynx/INC ecosystem, suggests that enterprise credential acquisition and ransomware deployment may become increasingly integrated within future campaigns. Although attribution of this relationship remains under assessment, the observed tradecraft highlights the growing convergence of credential theft, data extortion, and ransomware operations. Organizations should therefore adopt a layered security strategy that emphasizes proactive threat monitoring, identity protection, attack surface management, and incident response readiness to reduce exposure to evolving ransomware threats.

Elevate your security—get curated threat insights in your inbox.

Lynx Ransomware and Its Evolution from the INC Lineage | CyberXTron Blog