Discovery Enum
- SoftPerfect NetScan
Lynx is a ransomware family/group first observed in mid-2024 that operates under a ransomware-as-a-service model and uses double extortion, combining file encryption with data exfiltration and leak-site pressure.
Profile source: Mallory opens in a new tabLynx
Lynx is a ransomware family/group first observed in mid-2024 that operates under a ransomware-as-a-service model and uses double extortion, combining file encryption with data exfiltration and leak-site pressure. Multiple sources in the content assess Lynx as closely related to, evolved from, or possibly a rebrand of INC Ransom; it reportedly emerged after the 2024 underground sale of INC Windows and Linux/ESXi source code, and substantial code overlap with INC is repeatedly noted. One source states Lynx shares 48% of its source code with INC.
Reported capabilities include encrypting victim data, stealing sensitive information, appending the .lynx extension to encrypted files, deleting shadow copies/backups, terminating processes, mounting hidden drives, encrypting files on network shares, and printing ransom notes on printers. The content also places Lynx in observed attack chains where an EDR-killer is deployed before ransomware execution.
Initial access and delivery methods mentioned for Lynx-related activity include phishing emails, exploitation of public-facing systems, and use of stolen or brokered credentials. SOCRadar linked Lynx to the FortiBleed credential-harvesting campaign targeting Fortinet FortiGate devices: researchers reported an operator simultaneously logged into both INC and Lynx negotiation panels, overlap between FortiBleed victims and INC/Lynx-related activity, and downstream ransomware deployments following harvested FortiGate access. The FortiBleed reporting ties Lynx-associated activity to large-scale compromise of FortiGate environments across more than 150 countries.
Targeting described in the content includes healthcare, retail, real estate, architecture, financial services, environmental services, and U.S. energy/oil-and-gas-related facilities. The content also notes healthcare intrusions in 2026 and broader activity in the U.S. and UK. High-confidence identifiers directly mentioned include the .lynx file extension and the use of Lynx negotiation/admin panels observed in screenshots from FortiBleed infrastructure.
Ransomware.live
Ransomware.live
b1d81e8bbecccc547645d17395538a2da20886a5b378624d16972db66bd4e7e1f16238836909d07f86154c5ccbade96a30656c737338818bee8cc3591e3f3dcc571684f28ce1cf4d8236dbd46ef6f7f065c0c7c9fe6bc1d5296447aae6c6c14cd972bbbb3edb0e5ab5751b911f3dda17146d350fd6271b4411714c630d8cda87ff458208c49836cdec92f0a4a7ba6afd67a44a38cc36becd6e2e9c20c27fd9adReported operators
“Akira and Lynx: … Lynx might be a rebrand of the INC ransomware group.”
MITRE ATT&CK
Reporting
SOCRadars Threat Research Unit fand einen Operator, der gleichzeitig in den Verhandlungspanels von INC Ransom und Lynx eingeloggt war – der belastbare Beweis, dass FortiBleed direkt in die Ransomware-Ökonomie einspeist.
Des captures d’écran montrent des sessions navigateur actives sur ces panneaux, incluant des chats de négociation avec des victimes.
FortiBleed, the large-scale credential-harvesting operation targeting organizations in 150 countries, has led to the deployment of INC Ransom and Lynx ransomware families, SOCRadar reports.
STRU found an operator actively logged into the negotiation panels of both INC Ransom and Lynx ransomware, engaging directly with ransom demands.
SOCRadar's Threat Research Unit latest research now ties the credential theft operation directly to members of the INC and Lynx ransomware-as-a-service (RaaS) groups.
The group claimed nearly 1,000 victims since its inception, and in 2024, the source code for both the Windows and Linux/ESXi encryptors were sold on underground forums. That sale gave rise to at least two families, Lynx and Sinobi, and introduced an attribution complexity that persist today.
Since the disruption of its source code seller in 2024, related ransomware families such as Lynx and Knoba emerged with significant code overlaps tied to INC.
Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.