{
	"id": "91a1675a-7e21-4444-9ed9-dec65918fd59",
	"created_at": "2026-05-05T02:46:24.750143Z",
	"updated_at": "2026-05-05T02:46:36.742874Z",
	"deleted_at": null,
	"sha1_hash": "04dbee712985398f4e1a3f0cfe5f4bc3f3c0577f",
	"title": "Cat’s out of the bag: Lynx Ransomware-as-a-Service | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3555535,
	"plain_text": "Cat’s out of the bag: Lynx Ransomware-as-a-Service | Group-IB\r\nBlog\r\nArchived: 2026-05-05 02:28:43 UTC\r\nIntroduction\r\nRansomware remains one of the most profitable cyberthreats, with new variants and business models evolving\r\nfaster than many organizations can respond. Fueled by the expansion of Ransomware-as-a-Service (RaaS), the\r\nproliferation of stolen data on Dedicated Leak Sites (DLS), and the rise of affiliate-driven operations, these attacks\r\nhave become both more pervasive and more sophisticated.\r\nThe Lynx RaaS group stands out for its highly organized platform, structured affiliate program, and robust\r\nencryption methods. In this blog, we provide an exclusive look at Lynx’s affiliate panel, internal communications,\r\nand technical arsenal, revealing how this criminal ecosystem orchestrates ransomware attacks and manages\r\nvictims.\r\nKey Discoveries in this Blog\r\nStructured RaaS Panel and Workflow: Lynx’s affiliate panel is divided into multiple sections (e.g.\r\n“News,” “Companies,” “Chats,” “Stuffers,” and “Leaks”), each serving a clear purpose. Affiliates can\r\nconfigure victim profiles, generate custom ransomware samples, and even manage data-leak schedules\r\nwithin a single, user-friendly interface.\r\nCross-Platform Ransomware Arsenal: Lynx provides affiliates with a comprehensive “All-in-One\r\nArchive,” containing binaries for Windows, Linux, and ESXi environments, covering a range of\r\narchitectures (ARM, MIPS, PPC, etc.). This multi-architecture approach ensures broad compatibility and\r\nmaximizes the impact of attacks in heterogeneous networks.\r\nAffiliate Features and Double Extortion: Affiliates are incentivized with an 80% share of ransom\r\nproceeds, reflecting a competitive, recruitment-driven strategy. Lynx’s panel includes a dedicated leak site\r\n(DLS) where stolen data is publicly exposed if ransoms go unpaid, adding critical pressure on victims to\r\ncomply.\r\nCustomizable Encryption Techniques: Lynx recently added multiple encryption modes: “fast,”\r\n“medium,” “slow,” and “entire”, giving affiliates the freedom to adjust the trade-off between speed and\r\ndepth of file encryption. The use of Curve25519 Donna and AES-128 encryption emphasizes Lynx’s focus\r\non robust, proven cryptography.\r\nProfessional Recruitment and Vetting: The group’s recruitment posts on underground forums emphasize\r\na stringent verification process for pentesters and skilled intrusion teams, highlighting Lynx’s emphasis on\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 1 of 26\n\noperational security and quality control. They also offer “call centers” for harassing victims and advanced\r\nstorage solutions for affiliates who consistently deliver profitable results.\r\nWho may find this blog interesting:\r\nCybersecurity analysts and corporate security teams\r\nMalware analysts\r\nThreat intelligence specialists\r\nCyber investigators\r\nComputer Emergency Response Teams (CERT)\r\nLaw enforcement investigators\r\nCyber police forces\r\nThe dedicated leak site (DLS) of the Lynx ransomware serves as a platform where attackers publish\r\nannouncements regarding attacks and disclose leaked data from their victims.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 2 of 26\n\nFigure 1. Screenshot of a dedicated leak site (DLS) of Lynx ransomware.\r\nOn  8-August 2024, a user named “silencer” started an affiliate program of the Lynx ransomware as a topic on the\r\npopular underground dark web forum “RAMP”.\r\nFigure 2. Screenshot of the user profile “silencer” on the RAMP forum.\r\nInformation from Affiliate Program Recruitment:\r\nThe Lynx ransomware group has published a recruitment post targeting experienced penetration testing teams. The\r\npost provides a detailed description of the group’s capabilities, tools, and expectations for potential collaborators,\r\nindicating a structured and professionalized criminal operation.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 3 of 26\n\nFigure 3. Screenshots of a post by Lynx promoting its ransomware-as-a-service on the RAMP forum.\r\nThe following is a translation of the topic posted by Lynx, from Russian to English:\r\nWe invite experienced pentesting teams to join the Lynx team.\r\nWe specialize in attacks on business infrastructure.\r\n### Locker Functionality:\r\n~ Reliable encryption algorithm (x25519 + AES);\r\n~ Directing the locker to specified directories/files;\r\n~ Killing services/processes by mask;\r\n~ Ability to interrupt the encryption process without damaging the structure of the encrypted file;\r\n~ Deleting shadow copies, clearing the recycle bin, etc.;\r\n~ Mounting hidden disks (at your own risk, may corrupt the bootloader);\r\n~ Automatic termination of processes that use targeted files;\r\n~ 18 tested builds for all operating systems (Windows / ESXi / NAS);\r\n~ “Timer” feature available on all nix builds;\r\n~ Setting a “message of the day” as a ransom note.\r\n### Panel Functionality:\r\n~ Builder (private keys are not stored in the panel; all test decrypts are strictly handled through the admin);\r\n~ Ability to independently create blog posts and attach files without admin involvement;\r\n~ Full management of publications;\r\n~ Guest access for your traffickers.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 4 of 26\n\nWe offer an 80/20 split in your favor. You handle all negotiations, the wallet is yours, and we do not interfere in\r\nthe process.\r\nWe have our own call service (“прозвон”) that will harass the target (extra %).\r\nIn the near future, we are completing a persistent tool that will be provided to our teams.\r\nWe also have a simple killer (doesn’t include solutions for CrowdStrike or Sentinel).\r\nWe are ready to provide storage for files to active teams.\r\nWe can provide materials for work if you show good results.\r\nTeams without a reputation will be offered several options to pass “white” verification.\r\nWe do not work in the CIS, Ukraine, China, Iran, or North Korea, nor do we target entities responsible for the\r\nlivelihood of civilians (healthcare), government institutions, churches, or children’s charities (non-profits).\r\nGroup-IB specialists successfully infiltrated the Lynx RaaS group by leveraging qTox to establish contact with the\r\nintruder. This allowed to gain access to the group’s affiliate panel, providing critical insights into its operations.\r\nFigure 4. Screenshot of the authentication page of Lynx ransomware group.\r\nThe Affiliates’ panel of the Lynx ransomware group featured various sections, including “News,”, “Chats”,\r\n“Companies”, “Stuffers” and “Leaks”, each serving distinct purposes within the group’s operations.\r\nNews\r\nThe “News” section within the Lynx ransomware group’s affiliate panel serves as a central hub for updates and\r\nannouncements. It provides affiliates with critical information, such as details on new features added to the locker\r\nor panel, as well as essential resources like updated mirrors for the group’s blog and admin panel.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 5 of 26\n\nFigure 5. Screenshot of the section “News” of Lynx ransomware panel.\r\nBelow is a table detailing the observed updates and publication dates from the “News” section of the Lynx\r\nransomware group’s affiliate panel:\r\nDate Title of the news:\r\n03.08.2024 Admin panel mirrors\r\n03.08.2024 Blog mirrors\r\n03.08.2024 Guest panel mirrors\r\n03.08.2024 Corp panel mirrors\r\n22.09.2024 New features\r\nBelow are screenshots from the “News” section, showcasing posts related to the mirrors of the Lynx ransomware\r\ngroup’s infrastructure.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 6 of 26\n\nFigure 6. Screenshots of posts in the “News” section of Lynx ransomware panel, dated 3 August 2024.\r\nFigure 6. Screenshots of posts in the “News” section of Lynx ransomware panel, dated 3 August 2024.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 7 of 26\n\nFigure 6. Screenshots of posts in the “News” section of Lynx ransomware panel, dated 3 August 2024.\r\nFigure 6. Screenshots of posts in the “News” section of Lynx ransomware panel, dated 3 August 2024.\r\nThe following text is extracted from published posts detailing the list mirrors of the Lynx ransomware group’s\r\nmalicious infrastructure:\r\nAdmin panel mirrors:\r\nhttp://lynxad2seqpyu52lr5v7il4idasv23535a46s4bj65b3v7t5y6u5daqd.onion/login\r\nhttp://lynx2m7xz73zpmlm5nddbokk6a55fh2nzjq2r5nk2hbdbk74iddqfiqd.onion/login\r\nhttp://lynxcwuhva6qzlnj3m3qrcl6bgvnxpixg5vsikf53vutdf3ijuv2pxyd.onion/login\r\nhttp://lynxcyys7c2np3b3er2wo6sufwoonmh6i3nykv53pst336c3ml4ycjqd.onion/login\r\nhttp://lynxdehvlvrrtnhtpuy6bhrxffzvl5j7y7p3zl553slzq44lcb2jzkyd.onion/login\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 8 of 26\n\nhttp://lynxikczcyposxfz5a7hxbqxilsrtx7zdzwmhk5wcb5qoatbv2suizid.onion/login\r\nhttp://lynxroggpujfxy7xnlrz3yknphqgk4k5dy4rhaldgz2hpxyyy3ncuvad.onion/login\r\nBlog mirrors:\r\nhttp://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/\r\nhttp://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion/\r\nhttp://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion/\r\nhttp://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion/\r\nhttp://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion/\r\nhttp://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion/\r\nhttp://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion/\r\nGuest panel mirrors:\r\nhttp://lynxoifh5boac42m6xdoak6ne7q53sz7kgaaze7ush72uuetbnjg2oqd.onion/login\r\nhttp://lynx25vsi4cxesh44chevu2qyguqcx4zrjsjd77cjrmbgn75xkv626yd.onion/login\r\nhttp://lynxaeddweqscykez5rknrug6ui5znq4yoxof5qnusiatiyuqqlwhead.onion/login\r\nhttp://lynxbk3nzrnph5z5tilsn3twfcgltqynaofuxgb5yt43vdu266z3vvyd.onion/login\r\nhttp://lynxhwtifuwxs2zejofpagvzxf7p2l3nhdi3zlrap3y2wsn5hqyfeuid.onion/login\r\nhttp://lynxjamasdeyeeiusfgfipfivewc3l3u34hyiiguhdyj776mh535l4ad.onion/login\r\nhttp://lynxk7rmhe7luff3ed7chlziwrju34pzc5hm452xhryeaeulc3wxc3ad.onion/login\r\nCorp mirrors:\r\nhttp://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login\r\nhttp://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login\r\nhttp://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login\r\nhttp://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login\r\nhttp://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion/login\r\nhttp://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion/login\r\nhttp://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion/login\r\nhttp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion/login\r\nBelow is a screenshot from the “News” section, highlighting a post about new features introduced to the Lynx\r\nransomware’s locker and affiliate panel. Updates include enhancements to encryption modes and the addition of a\r\nnon-onion domain for the company chat, allowing access through standard web browsers.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 9 of 26\n\nFigure 7. Screenshot of a post in the “News” section of Lynx ransomware panel, dated 22 September 2024.\r\nText from the post:\r\n– Encryption modes (fast, medium, slow, entire)\r\n– Silent mode\r\n– Domain for company chat (access through normal browsers)\r\nCompanies\r\nThe “Companies” section provides an interface for affiliates to manage victims. This includes creating victim\r\nprofiles, configuring victim-specific information, and generating unique ransomware samples tailored to each\r\nvictim.\r\nFigure 8. Screenshot of the “Companies” section of Lynx ransomware panel.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 10 of 26\n\nIntruder can configure following information about each victim:\r\n– Company Name\r\n– Link to zoominfo\r\n– Country\r\n– Number of Employees\r\n– Income for the year in $\r\n– The cost of the case $\r\nFigure 9. Screenshot of the interface for creating a new company in the “Companies” section of the Lynx\r\nransomware panel.\r\nOnce a victim is created, a dedicated chat is automatically generated for that victim. This chat is accessible\r\nthrough the “Chats” section, streamlining communication and management for each case.\r\nFigure 10. Screenshot of the chat with the victim in the “Companies” section of the Lynx ransomware panel.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 11 of 26\n\nThe screenshots below display an already created victim, including brief details about the victim and available\r\nactions that can be performed for each company. These actions include downloading samples of Lynx ransomware\r\nfor the victim, changing the password for chat access, banning negotiations with the company, adjusting the\r\nransom amount, or deleting the chat for security purposes.\r\nFigure 11. Screenshots of the interface displaying an already created company in the \"Companies\" section of the\r\nLynx ransomware panel.\r\nFigure 11. Screenshots of the interface displaying an already created company in the \"Companies\" section of the\r\nLynx ransomware panel.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 12 of 26\n\nFigure 11. Screenshots of the interface displaying an already created company in the \"Companies\" section of the\r\nLynx ransomware panel.\r\nAffiliate download archive containing multiple binary builds for various architectures (x86, ARM, MIPS, PPC,\r\nESXi, etc.). This allows affiliates to deploy the ransomware broadly across diverse systems in a victim’s corporate\r\nnetwork.\r\nAll-in-One Archive for Affiliates\r\nInstead of targeting a single architecture, the Lynx ransomware group offers affiliates a complete bundle. Inside\r\nthis archive, there are executables tailored for Linux x64, Linux ARM, MIPS, ESXi, and more. Affiliates can pick\r\nwhichever version they need for any specific segment of the victim’s network.\r\nComprehensive Architectural Coverage\r\nModern corporate networks are rarely homogeneous, they might include virtualized infrastructure (ESXi) and\r\nx86_64 servers running Linux or Windows. Having multiple versions at the ready boosts the ransomware’s\r\neffectiveness, because it can be run on almost any system.\r\nStraightforward Cross-Compilation\r\nThanks to Linux’s versatile cross-compilation toolchains, attackers easily build different variants (e.g., linux-armv7, linux-mips, linux-s390x). These toolchains allow static and dynamic linking (musl vs. glibc) so the\r\nbinaries can run smoothly in minimal or containerized environments.\r\nMusl Binaries\r\nSome binaries in the archive carry a -musl tag. These are linked against the musl C library, making them more\r\nportable to edge environments and containers that might not have the standard glibc libraries installed.\r\nMaximizing Reach in Targeted Attacks\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 13 of 26\n\nEven in a targeted attack, the affiliate benefits from having every possible version. Once they infiltrate a network,\r\nthey can discover which architectures are present, like ESXi hosts, ARM-based systems, or IBM mainframes and\r\ndeploy the matching binary without needing to recompile or fetch anything else.\r\nList of samples in archive:\r\nlinux-arm64\r\nlinux-armv5-musl\r\nlinux-armv7\r\nlinux-esxi\r\nlinux-ppc64le\r\nlinux-x64\r\nlinux-arm64-musl\r\nlinux-armv6\r\nlinux-armv7a\r\nlinux-mips\r\nlinux-riscv64\r\nlinux-x86\r\nlinux-armv5\r\nlinux-armv6-musl\r\nlinux-armv7l-musl\r\nlinux-mipsel-lts\r\nlinux-s390x\r\nwindows\r\nChats\r\nThe “Chats” section provides information about the chats created for negotiations with victims.\r\nFigure 12. Screenshot of the “Chat” section of the Lynx ransomware panel.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 14 of 26\n\nStuffers\r\nThe “Stuffers” section offers affiliates a streamlined interface to manage their sub-affiliates or team members for\r\ncollaborative efforts. Affiliates can easily add a new “stuffer” by assigning a unique login and password, enabling\r\nsecure and individualized access for each team member.\r\nBelow are screenshots providing an overview of how it appears in the affiliate panel:\r\nFigure 13. Screenshots of the interface for creating a stuffer or sub-affiliate in the \"Stuffer\" section of the Lynx\r\nransomware panel.\r\nFigure 13. Screenshots of the interface for creating a stuffer or sub-affiliate in the \"Stuffer\" section of the Lynx\r\nransomware panel.\r\nLeaks\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 15 of 26\n\nThe “Leaks” section allows affiliates to create and manage publications about companies that have been attacked\r\nbut have not paid the ransom. Affiliates can schedule these publications, customize the attacked company’s logo,\r\nselect a company from the list in the “Companies” section, specify a publication time, choose a publication\r\ncategory, add a description of the leak, generate a password, and attach relevant files.\r\nBelow are screenshots showcasing the affiliate panel interface for creating and scheduling publications:\r\nFigure 14. Screenshots of the interface for scheduling a publication in the \"Leaks\" section of the Lynx ransomware\r\npanel.\r\nFigure 14. Screenshots of the interface for scheduling a publication in the \"Leaks\" section of the Lynx ransomware\r\npanel.\r\nTechnical Information\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 16 of 26\n\nThe ransomware is available in both Windows and Linux versions, though the latter has yet to be reported in the\r\nwild. Its features are relatively standard for ransomware, displaying typical behavior seen in other threats of its\r\nkind. The file extension used is “.LYNX”, which is appended to encrypted files.\r\nOverall summary of the command line options of both Windows and Linux versions:\r\nOptions Description Windows Linux\r\nfile Encrypt only specified file(s) v v\r\ndir Encrypt only specified directory(ies) v v\r\nmode slow(25%), medium(15%), fast(5%), entire(100%) v v\r\nesxi Force stop all ESXi VMs v\r\ndelay Delay encryption for N minute(s) v\r\nfork Fork process v\r\nmotd Setup ransom note in message of the day v\r\nverbose Print logging messages v v\r\nhelp Print help menu v v\r\nsilent Enable silent encryption (no extension and notes will be added) v\r\nstop-processes Stop processes via RestartManager v\r\nencrypt-network Encrypt network shares v\r\nload-drives Load hidden drives (will corrupt boot loader) v\r\nhide-cmd Hide console window v\r\nno-background Don’t change background image v\r\nno-print Don’t print note on printers v\r\nkill Kill processes/services v\r\nsafe-mode Enter safe-mode v\r\nWindows\r\nWhen comparing our sample to those reported in October 2024, a key difference is that Lynx ransomware has\r\nintroduced a “mode” option – fast/medium/slow/entire, enabling the attacker to choose the percentage of a file to\r\nencrypt, allowing them to decide the trade-off between speed and the amount of data encrypted. In contrast, earlier\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 17 of 26\n\nversions of Lynx have only 1 default option which is simply encrypting 1MB for every 6MB (this is actually\r\n~16% which is the “medium” mode).\r\nFigure 15. Command-line options of Windows version of Lynx ransomware\r\nFigure 16. Verbose logs during encryption\r\nRansom note is base64 encoded and embedded in the binary. It is dropped in every encrypted directory.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 18 of 26\n\nFigure 17. Lynx ransom note\r\nEnvironment preparation\r\nTo ensure a smooth encryption process, it does a few things\r\nWhen determined to have insufficient access to the files to be encrypted, it attempts to escalate privileges.\r\nIt enables “SeTakeOwnershipPrivilege” for the current process access token, and takes ownership of the\r\nfile object. It is then used to change the Discretionary Access Control List (DACL) of the file object.\r\nUses Windows Restart Manager to terminate processes that are currently using the targeted resources.\r\nWhen the option “load-drives” is enabled, it enumerates all volumes, and the system will attempt to mount\r\nany unmounted volumes and assign it a drive letter.\r\nWhitelisted extensions\r\n.exe, .dll, .msi, .lynx\r\nBlacklisted services and processes\r\nServices: \"sql\", \"veeam\", \"backup\", \"exchange\"\r\nProcesses: \"sql\", \"veeam\", \"backup\",\"exchange\", \"java\", \"notepad\"\r\nEncryption Scheme\r\nThe ransomware utilizes a multi-threaded approach to speed up the encryption process by creating a number of\r\nthreads equal to four times the number of CPU cores in the system. It uses the Windows I/O Completion Port\r\nmechanism to efficiently manage asynchronous I/O operations, allowing threads to handle disk read/write tasks\r\nwithout blocking the encryption process.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 19 of 26\n\nThe ransomware employs the combination of Curve25519 Donna and AES-128 in CTR mode for file encryption.\r\nLastly, it then renames the file with a .LYNX extension.\r\nPost-encryption\r\nIt performs the usual post-encryption steps, changing the desktop wallpaper of the compromised machine to a\r\nransom note. It will also attempt to print the ransom note on connected printers. It enumerates all the local\r\nprinters, excluding “Microsoft Print to PDF” and “Microsoft XPS Document Writer”, and proceeds to send the\r\nransomware note as a print job to them.\r\nFigure 18. Ransom note set as wallpaper\r\nDelete Shadow Copies\r\nThe ransomware attempts to delete shadow copies by resizing the maximum amount of volume shadow copy\r\nstorage space. This is done via DeviceIoControl() using the IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE\r\n(0x53C028) control code. By setting the maximum space to 1 byte, it effectively forces Windows to delete all\r\nexisting volume snapshots.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 20 of 26\n\nFigure 19. Code snippet of deleting shadow copies\r\nLinux\r\nThe Linux version of the ransomware is much simpler and linux versions of ransomware are usually developed to\r\ntarget ESXI systems. To start encryption, one has to specify either a file or directory for the linux version.\r\nThe encryption scheme is the same as Windows. However, compared to the Windows version which uses 4x the\r\ncores, the Linux version spawns threads equal to 2x the number of cores to process files.\r\nRansom notes are dropped in every directory and could also be set up as a message of the day (MOTD).\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 21 of 26\n\nFigure 20. Ransom note set as MOTD\r\nFigure 21. Command-line options of linux version of Lynx ransomware\r\nStopping ESXI and removing snapshots\r\nIt writes the following command in a file named “kill” and proceeds to execute the file. It forcefully terminates all\r\nthe virtual machines on the ESXi host using their World IDs.\r\nfor i in $(esxcli vm process list | grep 'World' | grep -Eo '[0-9]{1,8}'); do esxcli vm process kill\r\nTo remove virtual machine snapshots, it writes the following command in a file named “delete” and proceeds to\r\nexecute the file.\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 22 of 26\n\nfor i in $(vim-cmd vmsvc/getallvms | awk '{print $1}' | grep -Eo '[0-9]{1,8}'); do vim-cmd vmsvc/snap\r\nComparison with INC\r\nIt has been previously reported that the Windows version of the Lynx ransomware closely resembles INC\r\nransomware, suggesting that they may have purchased the source code of INC ransomware. The features of the\r\nanalysed Linux version of Lynx exhibited strong similarities as well. We decided to compare it with the Linux\r\nESXI version of INC ransomware (SHA256:\r\nc41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef) using BinDiff. There were a total of\r\n147 non-library function matches between the 2 samples, making roughly \u003e 91% overlapping functions. The\r\noverall similarity stood at 87% with a 98% confidence.\r\nFigure 22. BinDiff comparison of Lynx sample and INC sample\r\nConclusion\r\nLynx has emerged as a formidable RaaS operator by combining a versatile arsenal of ransomware builds, a\r\nstructured affiliate ecosystem, and systematic extortion tactics. Their panel’s features: from victim management to\r\nscheduled leak publications, demonstrate an industrial-scale approach to cybercrime.\r\nNotably, in-depth analysis revealed a significant code overlap with INC ransomware (over 90% of the Linux ESXi\r\nvariant functions match when compared via BinDiff). This strongly indicates that Lynx may have purchased or\r\nadapted the INC ransomware source code, enabling them to build upon existing malware capabilities. For\r\norganizations, this underscores the importance of continually updating incident response procedures, investing in\r\nreal-time threat intelligence, and fostering a security-first culture.\r\nAs RaaS groups like Lynx push the boundaries of cyber extortion, only a proactive and adaptive defensive\r\nstrategy will safeguard critical data and maintain business resilience.\r\nRecommendations\r\nAlthough ransomware operators often target critical sectors, any organization can become a victim. The recent\r\ngrowth of affiliate programs, where established groups equip new partners with advanced tools, amplifies these\r\nthreats. Below are essential steps to protect mission-critical operations and data:\r\nImplement MFA and Credential-Based Access: Use multi-factor authentication wherever possible,\r\nespecially for privileged or high-risk accounts. This adds a second layer of validation, making unauthorized\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 23 of 26\n\nentry more difficult.\r\nDeploy Advanced EDR Solutions: Behavioral detection capabilities help identify ransomware indicators\r\non managed endpoints, enabling quicker response. This proactive approach allows you to investigate and\r\nremediate both known and emerging threats.\r\nRegularly Schedule Backups: Backups serve as a safety net if files are encrypted. Store them offline or\r\non separate networks to protect against lateral movement by attackers.\r\nAI-Based Detection and Analytics: Employ platforms that can analyze and quarantine suspicious files\r\nbefore they execute. Solutions like Group-IB’s Managed XDR with Threat Intelligence provide:\r\nInsights into TTPs used by ransomware groups, enabling faster security pivots.\r\nMulti-layered security (endpoint, email, web, network) with automated detection and response.\r\nPrioritize Software Updates: Unpatched vulnerabilities are prime targets for initial compromise. Establish\r\na routine review process for applying critical updates.\r\nSecurity Awareness Programs: Humans are often the weakest link. Conduct regular phishing drills, and\r\nteach employees to report suspicious emails or incidents promptly.\r\nOngoing Technical Audits: Annual or biannual checks of infrastructure can uncover hidden weaknesses.\r\nMonitor digital hygiene and ensure strict access control and configuration management.\r\nNever Pay the Ransom: Paying attackers only encourages further extortion. Contact experienced IR teams\r\nas soon as possible to manage containment, eradication, and recovery efforts.\r\nMITRE ATT\u0026CK\r\nT1059 (Windows); T1059.004\r\n(Linux/Unix Shell) Command\r\nand Scripting Interpreter\r\n(Windows/ Linux)\r\nThe ransomware supports command-line options on both Windows and\r\nLinux, including custom parameters (e.g., –mode, –esxi), enabling\r\naffiliates to automate encryption and process termination.\r\nT1134 Access Token\r\nManipulation\r\nLynx ransomware attempts to escalate privileges. It enables\r\n“SeTakeOwnershipPrivilege” for the current process access token, and\r\ntakes ownership of the file object. It is then used to change the\r\nDiscretionary Access Control List (DACL) of the file object.\r\nT1490 Inhibit System Recovery\r\nLynx attempts to delete or resize Volume Shadow Copies (Windows) and\r\nremoves ESXi snapshots, hindering standard backup and recovery\r\nprocedures.\r\nT1005 Data from Local System\r\nFiles identified for encryption are enumerated locally or on mounted\r\ndrives/volumes (including hidden volumes loaded with load-drives).\r\nT1486 Data encrypted for\r\nimpact\r\nLynx’s core functionality is encrypting files (Windows/Linux). Ransom\r\ndemands are communicated via ransom notes, changed wallpapers, or\r\nprinted notes.\r\nPublic Available Indicators of Compromise (IOCs)\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 24 of 26\n\nFilename SHA256\r\nsvhost.exe.bin 80908a51e403efd47b1d3689c3fb9447d3fb962d691d856b8b97581eefc0c441\r\nFrantic_Setup.exe 80fd105d0685b85c1be5d5d3af63608d2ec91b186d4c591416934fe454770ca1\r\nbuild.exe 3e68e5742f998c5ba34c2130b2d89ca2a6c048feb6474bc81ff000e1eaed044e\r\n97c8f54d70e300c7d7e973c4b211da3c64c0f1c95770f663e04e35421dfb2ba0\r\nwindows.exe 468e3c2cb5b0bbc3004bbf5272f4ece5c979625f7623e6d71af5dc0929b89d6a\r\n432f549e9a2a76237133e9fe9b11fbb3d1a7e09904db5ccace29918e948529c6\r\nwin.exe 4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412\r\n9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896\r\ndd.exe 31de5a766dca4eaae7b69f807ec06ae14d2ac48100e06a30e17cc9acccfd5193\r\n589ff3a5741336fa7c98dbcef4e8aecea347ea0f349b9949c6a5f6cd9d821a23\r\nwindows.exe d5ca3e0e25d768769e4afda209aca1f563768dae79571a38e3070428f8adf031\r\nwin.exe 85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683\r\nb378b7ef0f906358eec595777a50f9bb5cc7bb6635e0f031d65b818a26bdc4ee\r\nwin.bin ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49\r\n11.exe 571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b\r\nwin.ex eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc\r\n82eb1910488657c78bef6879908526a2a2c6c31ab2f0517fcc5f3f6aa588b513\r\nc02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72\r\nNetwork Indicators\r\nhxxp://lynxblog[.]net/\r\nhxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion\r\nhxxp://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd[.]onion\r\nhxxp://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd[.]onion\r\nhxxp://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad[.]onion\r\nhxxp://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad[.]onion\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 25 of 26\n\nhxxp://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad[.]onion\r\nhxxp://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd[.]onion\r\nhxxp://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid[.]onion\r\nhxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion\r\nhxxp://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd[.]onion\r\nhxxp://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd[.]onion\r\nhxxp://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd[.]onion\r\nhxxp://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd[.]onion\r\nhxxp://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad[.]onion\r\nhxxp://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad[.]onion\r\nhxxp://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad[.]onion\r\nhxxp://lynxad2seqpyu52lr5v7il4idasv23535a46s4bj65b3v7t5y6u5daqd[.]onion\r\nhxxp://lynx2m7xz73zpmlm5nddbokk6a55fh2nzjq2r5nk2hbdbk74iddqfiqd[.]onion\r\nhxxp://lynxcwuhva6qzlnj3m3qrcl6bgvnxpixg5vsikf53vutdf3ijuv2pxyd[.]onion\r\nhxxp://lynxcyys7c2np3b3er2wo6sufwoonmh6i3nykv53pst336c3ml4ycjqd[.]onion\r\nhxxp://lynxdehvlvrrtnhtpuy6bhrxffzvl5j7y7p3zl553slzq44lcb2jzkyd[.]onion\r\nhxxp://lynxikczcyposxfz5a7hxbqxilsrtx7zdzwmhk5wcb5qoatbv2suizid[.]onion\r\nhxxp://lynxroggpujfxy7xnlrz3yknphqgk4k5dy4rhaldgz2hpxyyy3ncuvad[.]onion\r\nhxxp://lynxoifh5boac42m6xdoak6ne7q53sz7kgaaze7ush72uuetbnjg2oqd[.]onion\r\nhxxp://lynx25vsi4cxesh44chevu2qyguqcx4zrjsjd77cjrmbgn75xkv626yd[.]onion\r\nhxxp://lynxaeddweqscykez5rknrug6ui5znq4yoxof5qnusiatiyuqqlwhead[.]onion\r\nhxxp://lynxbk3nzrnph5z5tilsn3twfcgltqynaofuxgb5yt43vdu266z3vvyd[.]onion\r\nhxxp://lynxhwtifuwxs2zejofpagvzxf7p2l3nhdi3zlrap3y2wsn5hqyfeuid[.]onion\r\nhxxp://lynxjamasdeyeeiusfgfipfivewc3l3u34hyiiguhdyj776mh535l4ad[.]onion\r\nhxxp://lynxk7rmhe7luff3ed7chlziwrju34pzc5hm452xhryeaeulc3wxc3ad[.]onion\r\nSource: https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nhttps://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/\r\nPage 26 of 26\n\n  https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/   \nFigure 6. Screenshots of posts in the “News” section of Lynx ransomware panel, dated 3 August 2024.\nFigure 6. Screenshots of posts in the “News” section of Lynx ransomware panel, dated 3 August 2024.\n   Page 7 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/"
	],
	"report_names": [
		"cat-s-out-of-the-bag-lynx-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1777949184,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04dbee712985398f4e1a3f0cfe5f4bc3f3c0577f.pdf",
		"text": "https://archive.orkl.eu/04dbee712985398f4e1a3f0cfe5f4bc3f3c0577f.txt",
		"img": "https://archive.orkl.eu/04dbee712985398f4e1a3f0cfe5f4bc3f3c0577f.jpg"
	}
}