Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself

The Red Report 2025

The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries.

Lynx ransomware, a rebranded and advanced variant of the earlier INC ransomware, has quickly established itself as a significant threat in the cybersecurity landscape. Operating under a Ransomware-as-a-Service (RaaS) model, Lynx employs sophisticated tactics such as double extortion and advanced encryption to target industries across the U.S. and UK.

This analysis explores its origins, notable incidents, and advanced TTPs, offering insights into its operations and strategies for effective defense against its growing impact.

Origins and Affiliations of the Lynx Ransomware

The Lynx ransomware, first detected in mid-2024, is believed to be a rebranded version of the earlier INC ransomware, which emerged in 2023. Both share substantial portions of their source code, indicating a strong connection. Reports suggest that the INC ransomware's source code was sold on dark web forums, potentially enabling the development of Lynx as a more advanced variant.

Malware Analysis of INC and Lynx Ransomware Samples, figure taken from here.

Operating under the Ransomware-as-a-Service (RaaS) model, Lynx has targeted industries such as retail, real estate, and finance, primarily in the U.S. and UK. Its operators employ double extortion tactics, encrypting victims' data while threatening to release it publicly. Lynx's origins highlight its roots in the ransomware ecosystem, demonstrating the adaptability of cybercriminal groups.

Notable Cyber Incidents & Victimology of Lynx Ransomware as a Service (RaaS)

Since its emergence in July 2024, the Lynx ransomware group has been implicated in several notable cyber incidents, employing double extortion tactics that involve both data encryption and the threat of public data release. Noteworthy attacks include:

Electrica Energy Supplier: In December 2024, Lynx targeted Electrica, a major energy supplier, disrupting operations and compromising sensitive data.
Hunter Taubman Fischer & Li LLC: In January 2025, this U.S.-based law firm specializing in corporate and securities law was breached by Lynx, compromising sensitive client information.

Lynx predominantly targets small and medium-sized businesses (SMBs) across various sectors, including energy, manufacturing, engineering, and legal services, primarily in North America and Europe. Despite claims of avoiding "socially important" organizations, such as government agencies, hospitals, and non-profit organizations, their attacks have caused significant disruptions and data breaches.

Analyzing Lynx Ransomware's Advanced Tactics, Techniques, and Procedures (TTPs)

This section provides a comprehensive analysis of these TTPs, offering insights into how Lynx Ransomware RaaS operates and the tools they employ.

Analyzing Process Discovery and Termination Tactics in Lynx Ransomware

MITRE T1057 - Process Discovery

a. Snapshot of Running Processes

The malware calls CreateToolhelp32Snapshot with the TH32CS_SNAPPROCESS flag to create a snapshot of all running processes. Passing 0 as the second parameter ensures that all processes are included.

HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

b. Iterating Over Processes

The ransomware iterates over all processes using:

Process32FirstW: Retrieves information about the first process in the snapshot.
Process32NextW: Iterates through subsequent processes.

Process32FirstW(hSnapshot, &pe);
while (Process32NextW(hSnapshot, &pe)) {
// Process each entry
}

c. Case-Insensitive Process Name Search

The process name (pe.szExeFile) is compared to a predefined list of target keywords using a case-insensitive search function (search_case_insensitive).

sql
veeam
backup
exchange
java
notepad

MITRE T1489 - Service Stop

d. Process Termination

If a process name matches, the ransomware opens a handle to the process using OpenProcess with the PROCESS_TERMINATE flag.

HANDLE process_handle = OpenProcess(PROCESS_TERMINATE, FALSE, pe.th32ProcessID);

It calls TerminateProcess to kill the process.

TerminateProcess(process_handle, 0);

e. Verbose Logging (Optional)

If the verbose_flag is set, the malware logs the termination of each process, as shown in the line:

printf(L"[+] Process %s with PID: %d was killed successfully\n", pe.szExeFile, pe.th32ProcessID);

Service Enumeration & Termination Tactics Used by Lynx Ransomware

MITRE T1049 - System Network Connections Discovery

MITRE T1018 - Remote System Discovery

The ransomware performs service enumeration by iterating through a list of running services retrieved from the Service Control Manager. Using search_case_insensitive, it checks the lpDisplayName and lpServiceName of each service against predefined keywords (e.g., backup-related or database services). If a match is found, the stop_services function is invoked to terminate the service and its dependent services. This recursive approach ensures that all critical services hindering the ransomware’s operations are stopped.

The motivation for this behavior is to disable essential recovery mechanisms, such as backup and database services, preventing the victim from restoring encrypted files or maintaining system functionality, thereby increasing the likelihood of ransom payment.

MITRE T1489 - Service Stop

Moreover, the Stop Services Function in the ransomware is designed to disable specified services and their dependencies to disrupt system functionality and prevent recovery mechanisms. It begins by obtaining a handle to the Service Control Manager using OpenSCManagerW and then opens the targeted service using OpenServiceW. If dependent services are present, EnumDependentServices enumerates them. Each dependent service is recursively processed and stopped using stop_services, ensuring no active service interferes with the ransomware's operations. If the service is not stopped immediately, the function uses QueryServiceStatusEx to monitor its state and repeatedly attempts to stop it until successful or a timeout occurs. All allocated resources and service handles are cleaned up after processing.

The ransomware also sets up a multi-threaded environment to expedite encryption operations using the Windows I/O Completion Port mechanism. It dynamically determines the number of threads based on the system's processor count (4 * SystemInfo.dwNumberOfProcessors) and creates threads to handle asynchronous I/O tasks. Each thread executes the encryption function, synchronized through the completion port (CreateIoCompletionPort).

Additionally, the ransomware decodes its ransom note, replaces placeholders (e.g., %id%) with the victim's unique identifier, and logs the initialization steps if verbose mode is enabled. This multi-threaded approach allows the malware to maximize system resource utilization, accelerating the encryption process.

Your data is stolen and encrypted.
Your unique identificator is %id%
Use this TOR site to contact with us:
hxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login

Use this email to contact with us:
martina[.]lestariid1898@proton[.]me

Our blog
~ TOR Network: hxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures

Directory Enumeration

MITRE T1083 - File and Directory Discovery

The Enumerate Directory Function in the ransomware is designed to traverse directories, identify files for encryption, and handle recursive subdirectory processing. It starts by creating a README.txt file in the specified directory, writing the ransom note using CreateFileW and WriteFile, ensuring the ransom instructions are accessible to the victim. The function then calls FindFirstFileW to locate the first file or directory entry, and iterates through all items using a loop. During this process, it skips special directories (".", ".."), reparse points, and files with system attributes (FILE_ATTRIBUTE_SYSTEM). Specific file types, such as executables (.exe), installers (.msi), libraries (.dll), or files with the .lynx extension, are excluded from encryption.Additionally, files named README.txt and LYNX are ignored. For each valid file, the ransomware calculates its extension and queues it for encryption by creating a new thread, leveraging multi-threading to maximize encryption speed.

For subdirectories, the function uses recursive calls to explore their contents. It avoids processing protected or system-critical directories such as "windows", "program files", "program files (x86)", and "appdata", ensuring it doesn’t disrupt essential system operations that could prevent the ransomware from functioning. However, the function handles "program files" and "program files (x86)" directories separately, iterating through their subdirectories to identify and encrypt specific folders, such as "microsoft sql server".

Subdirectories are processed by allocating memory dynamically with HeapAlloc, constructing their paths, and recursively invoking the enum_dir function. This detailed enumeration ensures the ransomware can effectively locate and encrypt a broad range of target files while intelligently avoiding unnecessary or highly protected locations, increasing its operational efficiency and impact.

File Access Validation, Privilege Escalation, and Encryption Preparation in Lynx Ransomware

prepare_encryption

MITRE T1486 - Data Encrypted for Impact
MITRE T1587.001 - Develop Capabilities: Malware

check_write_access

MITRE T1564.001 - Hidden Artifacts
MITRE T1083 - File and Directory Discovery

priv_escalation

MITRE T1068 - Exploitation for Privilege Escalation
MITRE T1203 - Exploitation for Client Execution

The ransomware operates through a tightly coupled sequence of functions, namely prepare_encryption, check_write_access, and priv_escalation, to ensure successful file encryption even in restricted environments. These functions work collaboratively to overcome access barriers, manipulate permissions, and prepare the target file for encryption.

The workflow initiates with the prepare_encryption, which first evaluates whether the malware has sufficient write access to the target file. This is achieved by calling the check_write_access function. Within check_write_access, the malware attempts to write a dummy block of 36 bytes of data (character "2") at the end of the file using the WriteFile API. This operation confirms write access by verifying if the correct number of bytes was written. After the write operation, SetEndOfFile is called to truncate the file, leaving no persistent traces of the operation. If write access is successfully validated, the file is opened using CreateFileW with GENERIC_READ | GENERIC_WRITE(0xC0000000) permissions for further encryption. If the write check fails, the malware moves to its next strategy.

In cases where the file is locked by processes holding open handles, the malware checks for the stop_processes_flag. If set, the ransomware invokes Terminate_Process_RM to terminate all processes with handles to the file. If this succeeds, it reattempts the write access check. If this too fails, the malware escalates privileges to bypass file access restrictions.

The priv_escalation function is invoked to enable the SeTakeOwnershipPrivilege on the current process token. It achieves this by calling AdjustTokenPrivileges to elevate its privileges, allowing the malware to take ownership of the target file or directory. The function uses AllocateAndInitializeSid to define a Security Identifier (SID) and configures an EXPLICIT_ACCESS structure with GENERIC_ALL permissions. It then modifies the file's ACL via SetEntriesInAclW and SetNamedSecurityInfoW, granting the process full control over the file. After successfully taking ownership, priv_escalation re-applies the ACL to ensure the malware retains control while resetting the token's privileges to minimize detection risks.

These functions collectively enable the ransomware to evaluate, escalate, and secure access to files, ensuring successful encryption. The seamless integration of prepare_encryption, check_write_access, and priv_escalation highlights advanced techniques for defense evasion, privilege escalation, and impact, demonstrating the malware's capability to operate effectively in secured environments.

Process Termination, Key Generation, and Encryption in Ransomware Operations

The ransomware employs an interconnected set of functions and techniques to terminate processes, generate encryption keys, and encrypt files. These processes work in tandem to ensure the successful encryption of the target files while evading detection and handling operational obstacles.

MITRE T1489 - Service Stop

MITRE T1106 - Native API

To gain access to files locked by running processes, the ransomware uses the Restart Manager (RM) API. It begins by starting an RM session with RmStartSession and registers the file as a resource to be managed using RmRegisterResources. The function then calls RmGetList to identify all processes holding handles to the file.

For each process, the function:

Skips Critical Processes: Avoids terminating RmExplorer (Windows Explorer), RmCritical (critical system processes), or the current process itself.
Opens Processes for Termination: Uses OpenProcess with PROCESS_TERMINATE access to open the identified process.
Terminates the Process: Calls TerminateProcess and waits for termination with WaitForSingleObject to ensure completion.

This ensures that the file is released from any process locks, allowing the ransomware to proceed with encryption.

MITRE T1573.001 - Encrypted Channel: Symmetric Cryptography

MITRE T1573.002 - Encrypted Channel: Asymmetric Cryptography

MITRE T1027 - Obfuscated Files or Information

The ransomware leverages Elliptic Curve Cryptography (ECC) and AES for secure encryption:

ECC Key Decoding and AES Key Generation: The function decodes an ECC public key (Curve25519) using base64_decode and generates a shared secret via the Diffie-Hellman key exchange. This shared secret is hashed with SHA512 to derive the AES encryption key. The AES key is then expanded into round keys using AESKeyExpansion for efficient block encryption.
Marker Preparation: The marker structure, totaling 116 bytes, is prepared to append metadata to the encrypted file. It includes:
- The ECC public key (32 bytes).
- SHA512 hash of the ECC public key (64 bytes).
- "LYNX" identifier.
- Unknown padding and encryption block configuration values (e.g., block size and step).

File Encryption Preparation

The function prepares the file for encryption using the following steps:

Memory Allocation: Allocates memory for lpOverlapped, the marker, and encryption buffers using HeapAlloc and memset.
File Metadata Configuration:
- Sets the file offset and block sizes for encryption.
- Appends "LYNX" to the filename using lstrcatW and updates the file pointer (lpNewFileName).
Asynchronous I/O:
- Associates the file handle with an I/O completion port using CreateIoCompletionPort.
- Uses the OVERLAPPED structure for asynchronous file operations like reads and writes.

File Encryption Execution

Once the file is ready, the ransomware enters the encryption phase:

Completion Port Monitoring: It uses GetQueuedCompletionStatus to wait for I/O completion packets. These packets indicate that the file data is ready for encryption.
Data Encryption: Upon receiving a packet, the ransomware encrypts the file data using AES in block mode, guided by the switch_value set during the preparation phase.
Marker Appending: After encryption, the marker is appended to the file, providing metadata for potential decryption (e.g., public key and block size configuration).

How Does Picus Help Against Lynx Ransomware Threat Group?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.

Picus Threat Library includes the following threats for Lynx Ransomware.

Threat ID	Threat Name	Attack Module
69591	Lynx Ransomware Download Threat	Network Infiltration
67755	Lynx Ransomware Email Threat	E-mail Infiltration

Defense Strategies Against the Lynx Ransomware Group

Defending against the Lynx ransomware group requires a comprehensive cybersecurity strategy that addresses both technological vulnerabilities and human factors. Key defense measures include:

Regular Software Updates and Patch Management: Ensure all systems, applications, and devices are up-to-date with the latest security patches to mitigate vulnerabilities that ransomware exploits.
Robust Backup Solutions: Implement regular, automated backups of critical data, stored offline or in locations inaccessible from potentially infected systems. This practice ensures data recovery without yielding to ransom demands.
Advanced Email Filtering and User Training: Deploy sophisticated email filtering solutions to block phishing attempts, a common delivery method for Lynx ransomware. Conduct regular training sessions to educate employees on recognizing and avoiding phishing emails and suspicious downloads.
Endpoint Protection and Network Monitoring: Utilize comprehensive endpoint protection platforms capable of detecting and responding to ransomware activities. Implement continuous network monitoring to identify and respond to anomalous behavior indicative of an intrusion.
Access Controls and Privilege Management: Enforce the principle of least privilege, ensuring users have only the access necessary for their roles. Regularly review and adjust access controls to minimize potential attack vectors.
Incident Response Planning: Develop and regularly update an incident response plan tailored to ransomware attacks. Conduct drills to ensure readiness and effective coordination during an actual incident.

By implementing these strategies, organizations can significantly reduce the risk of falling victim to Lynx ransomware and enhance their overall cybersecurity posture.

Conclusion

In conclusion, the emergence of Lynx ransomware, rebranded from the earlier INC ransomware, underscores the adaptive nature of cybercriminal operations within the ransomware ecosystem. By leveraging advanced TTPs such as double extortion, process termination, privilege escalation, and multi-threaded encryption, Lynx represents a sophisticated and persistent threat to organizations globally. Its focus on critical industries highlights the importance of proactive cybersecurity measures.

To counter this evolving threat, organizations must adopt a multi-layered defense strategy. This includes robust patch management, regular backups, advanced email filtering, endpoint protection, and employee training to mitigate vulnerabilities. Furthermore, access control policies and incident response planning are crucial for minimizing potential damage and ensuring swift recovery.

As ransomware groups like Lynx continue to refine their tactics, staying vigilant and investing in comprehensive security solutions will be critical to safeguarding digital assets and maintaining operational integrity.