{
	"id": "2e8317b2-296b-49d0-bf14-c031fbee5a08",
	"created_at": "2026-04-06T01:30:26.885922Z",
	"updated_at": "2026-04-10T03:21:59.130644Z",
	"deleted_at": null,
	"sha1_hash": "7c8803ff242c6a41c0a202c04d69b1d4489d2302",
	"title": "Lynx Ransomware: A Rebranding of INC Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4132994,
	"plain_text": "Lynx Ransomware: A Rebranding of INC Ransomware\r\nBy Pranay Kumar Chhaparwal, Micah Yates, Benjamin Chang\r\nPublished: 2024-10-10 · Archived: 2026-04-06 00:11:47 UTC\r\nExecutive Summary\r\nIn July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since\r\nits emergence, the group behind this ransomware has actively targeted organizations in various sectors such as\r\nretail, real estate, architecture, and financial and environmental services in the U.S. and UK.\r\nLynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially\r\nsurfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed\r\nany Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a\r\nransomware-as-a-service (RaaS) model.\r\nThis article delves into the timeline of these more recent attacks and the evolving tactics employed by the threat\r\nactor behind this ransomware.\r\nPalo Alto Networks customers are better protected from Lynx ransomware through our Network Security\r\nsolutions and Cortex line of products.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nRelated Unit 42 Topics Ransomware, Double Extortion\r\nActivity Timeline\r\nFigure 1 below shows a timeline comparing the number of confirmed samples we have discovered for both INC\r\nand Lynx ransomware. This graph presents a comparison of the sample count for both INC and Lynx ransomware\r\non a monthly basis from October 2023 through September 2024.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 1 of 14\n\nFigure 1. INC versus Lynx ransomware sample timeline.\r\nThe source code for INC ransomware was available for sale on the criminal underground market as early as March\r\n2024. Because of this, we expect many malware authors to acquire and repackage this code to develop new\r\nransomware, similar to what the Lynx group did. As a result, we can expect a growing trend in which newer or\r\ndifferent ransomware groups reuse this existing code.\r\nDelivery Mechanism\r\nThe group behind Lynx ransomware represents an increasingly prevalent and sophisticated double-extortion\r\nthreat. The threat operators commonly disseminate their ransomware through a variety of cyberattack vectors.\r\nThese vectors include:\r\nPhishing emails that deceive users into revealing sensitive information\r\nMalicious downloads that surreptitiously install the ransomware onto victims' systems\r\nHacking forums where cybercriminals share information and resources\r\nThe double extortion aspect of Lynx ransomware means that it exfiltrates a victim's data before encrypting it. This\r\nnot only encrypts the victim's data, rendering it inaccessible, but also allows the ransomware group to leak or sell\r\nthis information if the victim does not make a ransom payment.\r\nLike other ransomware groups, this multifaceted approach to cyberextortion has made Lynx ransomware a\r\nformidable threat to individuals and organizations alike. This necessitates organizations to develop robust\r\ncybersecurity measures to counteract its impact.\r\nData Leak Site\r\nThe group asserts that it has breached data from numerous companies and has publicly displayed the pilfered\r\ninformation on its website at http[:]//lynxblog[.]net as demonstrated in Figures 2 and 3.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 2 of 14\n\nFigure 2. Leaked data published on the Lynx ransomware website.\r\nFigure 3. Leaked data with total income, date and size of data.\r\nThe group has a strict policy and recently released a statement on their activities as shown in Figure 4. This group\r\nstates it is financially motivated, but it claims it does not target government institutes, hospitals or non-profit\r\norganizations.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 3 of 14\n\nFigure 4. Leaked data published on the Lynx ransomware website.\r\nThis group has also created a reporting page for its operations as shown in Figure 5.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 4 of 14\n\nFigure 5. Reporting form on the Lynx ransomware website.\r\nBelow, Figure 6 highlights the logo used for Lynx ransomware as seen on its website.\r\nFigure 6. Lynx ransomware logo used on its website.\r\nTechnical Analysis of Lynx Ransomware\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 5 of 14\n\nThe Lynx ransomware samples we analyzed used AES-128 in CTR mode and Curve25519 Donna encryption\r\nalgorithms. All files are encrypted and have the .lynx extension appended to them. This malware version is\r\ndesigned for the Windows platform and is written in the C++ programming language.\r\nAttackers can tailor their execution of Lynx ransomware by using arguments supplied during runtime as illustrated\r\nin Figure 7.\r\nFigure 7. Command-line options present in the malware.\r\nThe ransomware’s features include the following:\r\nDesignating specific directories/files for encryption\r\nTerminating services/processes\r\nEncrypting network drives\r\nMounting concealed disks\r\nEnabling or disabling background image alterations\r\nPrinting all console logs\r\nFigure 8 shows code snippets for various arguments available for Lynx ransomware. It can even load hidden\r\ndrives and encrypt network share drives.\r\nFigure 8. Encryption mode in the malware.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 6 of 14\n\nIf no arguments are given, the ransomware defaults to encrypting all files and drives on the system. Additionally,\r\nit deletes shadow copies and backup partition drives as shown in Figure 9.\r\nFigure 9. Running a Lynx ransomware sample with default arguments in a command terminal.\r\nAs noted from the debugger results in Figure 10, the ransomware scans all the drives, attempts to mount them,\r\nthen encrypts the data they contain.\r\nFigure 10. Lynx ransomware sample checking for drive letters.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 7 of 14\n\nBefore starting the encryption process, the sample would kill the processes on the system listed in Figure 11\r\nbelow.\r\nFigure 11. Lynx checking for various processes in the system.\r\nFigure 12 shows code snippets illustrating this process.\r\nFigure 12. Code snippets checking process and termination.\r\nLike many other ransomware strains, Lynx ransomware uses the Restart Manager API RstrtMgr to enhance its\r\nencryption capabilities and maximize its impact on the victim's system. By incorporating RstrtMgr into its attack\r\nprocess, Lynx ransomware can target files that are currently in use or locked by other applications.\r\nRstrtMgr helps the ransomware identify which applications are using the desired files. Ransomware such as Conti,\r\nCactus and BiBi Wiper have also been observed employing this technique.\r\nAfter the ransomware encrypts all files, it attempts to print a report via Microsoft OneNote as shown in the\r\ndebugger output in Figure 13 and the command-line output in Figure 14.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 8 of 14\n\nFigure 13. Debugger output showing a Lynx ransomware sample sending notes to OneNote.\r\nFigure 14. After running Lynx ransomware from the command line, the output revealed it sent notes\r\nto OneNote on completion of encryption.\r\nFigure 15 below shows that the ransomware appends a .lynx extension to all encrypted file names.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 9 of 14\n\nFigure 15. Desktop from a Lynx ransomware infection with the .lynx file extension appended to\r\nencrypted files.\r\nThe presence of a program database (PDB) path with Lynx in the name confirms the ransomware as a Lynx\r\nvariant, as shown in the output of a packed executable (PE) analyzer tool in Figure 16.\r\nFigure 16. Lynx sample .pdb path.\r\nLynx additionally drops a README.txt file as a ransom note. Figure 17 displays both the Base64-encoded\r\ncontent found in the sample data section of a Lynx ransomware sample and the decoded ransom note.\r\nFigure 17. Ransom note Base64-encoded text from the Lynx ransomware sample and the decoded\r\nransom note.\r\nFigure 18 below shows a different ransom note from another Lynx ransomware sample.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 10 of 14\n\nFigure 18. Ransom note from another Lynx ransomware sample.\r\nComparison With INC Ransomware\r\nWe used the open-source tool BinDiff to compare the code between a sample of Lynx ransomware and a sample of\r\nINC ransomware. Figure 19 shows the BinDiff results from the INC sample in the Primary Call Graph (bottom\r\nright) and the Lynx sample in the Secondary Call Graph (bottom left). By analyzing and cross-referencing the call\r\ngraphs of both ransomware samples, we can observe the extent to which their code structures and functionalities\r\noverlap and diverge.\r\nFigure 19. Code similarity between INC and Lynx ransomware as shown by BinDiff.\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 11 of 14\n\nUpon close examination, we find that the overall matched functions between both ransomware samples stand at\r\n48%. This indicates that nearly half of the functions present in the INC ransomware sample are also used in the\r\nLynx sample.\r\nThe percentage of matched functions rises to an impressive 70.8% when we consider functions that are common\r\nto both ransomware families. This significant overlap in shared functions strongly suggests that the developers of\r\nLynx ransomware have borrowed and repurposed a considerable portion of the INC codebase to create their own\r\nmalicious software.\r\nReusing code between different ransomware families is common among cybercriminals. By leveraging\r\npreexisting code and building upon the foundations laid by other successful ransomware, threat actors can save\r\ntime and resources in the development of their own attacks. This can ultimately lead to more successful and\r\nwidespread campaigns.\r\nConclusion\r\nLynx ransomware use is active and evolving, yet attackers often employ similar code patterns in newer versions.\r\nPalo Alto Networks monitors such campaigns and uses various static and dynamic methods for detecting and\r\nblocking them.\r\nRansomware is a familiar presence in the threat landscape, and there are numerous approaches to protecting\r\ncustomers from these evolving attacks. These methods include dynamic and behavioral detections, as well as more\r\nreactive signature or pattern-based solutions.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from Lynx ransomware through the following products:\r\nThe Cortex XDR Anti-Ransomware module protects against the threats described in both versions of the\r\nmalware: Windows and Linux. \r\n Advanced WildFire: The Advanced WildFire machine-learning models and analysis techniques have been\r\nreviewed and updated in light of the IoCs shared in this research.                                           \r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 12 of 14\n\nSHA256 hashes of Windows EXE samples for Lynx ransomware:\r\n571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b\r\n82eb1910488657c78bef6879908526a2a2c6c31ab2f0517fcc5f3f6aa588b513\r\neaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc\r\nSHA256 hashes of Windows EXE samples for INC ransomware:\r\n02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461\r\n05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9\r\n11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd\r\n1754c9973bac8260412e5ec34bf5156f5bb157aa797f95ff4fc905439b74357a\r\n1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a\r\n29a25e971dbb87d3adcee75693782d978a3ca9f64df0a59b015ca519a4026c49\r\n3156ee399296d55e56788b487701eb07fd5c49db04f80f5ab3dc5c4e3c071be0\r\n36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e\r\n508a644d552f237615d1504aa1628566fe0e752a5bc0c882fa72b3155c322cef\r\n64b249eb3ab5993e7bcf5c0130e5f31cbd79dabdcad97268042780726e68533f\r\n7f104a3dfda3a7fbdd9b910d00b0169328c5d2facc10dc17b4378612ffa82d51\r\n869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947\r\n9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d\r\nca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c\r\nd147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6\r\ne17c601551dfded76ab99a233957c5c4acf0229b46cd7fc2175ead7fe1e3d261\r\nee1d8ac9fef147f0751000c38ca5d72feceeaae803049a2cd49dcce15223b720\r\nf96ecd567d9a05a6adb33f07880eebf1d6a8709512302e363377065ca8f98f56\r\nfcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced\r\nfef674fce37d5de43a4d36e86b2c0851d738f110a0d48bae4b2dab4c6a2c373e\r\nSHA256 hashes of Linux ELF samples for INC ransomware:\r\n63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7\r\na0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5\r\nc41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef\r\nContact email address from Lynx ransomware note:\r\nmartina.lestariid1898@proton[.]me\r\nPublicly accessible leak site blog for Lynx ransomware:\r\nlynxblog[.]net\r\nTor URLs for Lynx ransomware:\r\nhttp[:]//lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 13 of 14\n\nhttp[:]//lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures\r\nhttp[:]//lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd[.]onion\r\nhttp[:]//lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd[.]onion\r\nhttp[:]//lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad[.]onion\r\nhttp[:]//lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad[.]onion\r\nhttp[:]//lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad[.]onion\r\nhttp[:]//lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd[.]onion\r\nhttp[:]//lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid[.]onion\r\nhttp[:]//lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login\r\nhttp[:]//lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd[.]onion/login\r\nhttp[:]//lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd[.]onion/login\r\nhttp[:]//lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd[.]onion/login\r\nhttp[:]//lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd[.]onion/login\r\nhttp[:]//lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad[.]onion/login\r\nhttp[:]//lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad[.]onion/login\r\nhttp[:]//lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad[.]onion/login\r\nSource: https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nhttps://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/"
	],
	"report_names": [
		"inc-ransomware-rebrand-to-lynx"
	],
	"threat_actors": [],
	"ts_created_at": 1775439026,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c8803ff242c6a41c0a202c04d69b1d4489d2302.pdf",
		"text": "https://archive.orkl.eu/7c8803ff242c6a41c0a202c04d69b1d4489d2302.txt",
		"img": "https://archive.orkl.eu/7c8803ff242c6a41c0a202c04d69b1d4489d2302.jpg"
	}
}