Skip to content
Ransomware group

Lynx

Lynx is a ransomware family/group first observed in mid-2024 that operates under a ransomware-as-a-service model and uses double extortion, combining file encryption with data exfiltration and leak-site pressure.

Profile source: Mallory opens in a new tab

Lynx

Family profile

Lynx is a ransomware family/group first observed in mid-2024 that operates under a ransomware-as-a-service model and uses double extortion, combining file encryption with data exfiltration and leak-site pressure. Multiple sources in the content assess Lynx as closely related to, evolved from, or possibly a rebrand of INC Ransom; it reportedly emerged after the 2024 underground sale of INC Windows and Linux/ESXi source code, and substantial code overlap with INC is repeatedly noted. One source states Lynx shares 48% of its source code with INC.

Reported capabilities include encrypting victim data, stealing sensitive information, appending the .lynx extension to encrypted files, deleting shadow copies/backups, terminating processes, mounting hidden drives, encrypting files on network shares, and printing ransom notes on printers. The content also places Lynx in observed attack chains where an EDR-killer is deployed before ransomware execution.

Initial access and delivery methods mentioned for Lynx-related activity include phishing emails, exploitation of public-facing systems, and use of stolen or brokered credentials. SOCRadar linked Lynx to the FortiBleed credential-harvesting campaign targeting Fortinet FortiGate devices: researchers reported an operator simultaneously logged into both INC and Lynx negotiation panels, overlap between FortiBleed victims and INC/Lynx-related activity, and downstream ransomware deployments following harvested FortiGate access. The FortiBleed reporting ties Lynx-associated activity to large-scale compromise of FortiGate environments across more than 150 countries.

Targeting described in the content includes healthcare, retail, real estate, architecture, financial services, environmental services, and U.S. energy/oil-and-gas-related facilities. The content also notes healthcare intrusions in 2026 and broader activity in the U.S. and UK. High-confidence identifiers directly mentioned include the .lynx file extension and the use of Lynx negotiation/admin panels observed in screenshots from FortiBleed infrastructure.

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • SoftPerfect NetScan

Exfiltration

  • Restic

Ransomware.live

Published indicators

Full source record ↗

Md5

19 total
  • b1d81e8bbecccc547645d17395538a2d
  • a20886a5b378624d16972db66bd4e7e1
  • f16238836909d07f86154c5ccbade96a
  • 30656c737338818bee8cc3591e3f3dcc
  • 571684f28ce1cf4d8236dbd46ef6f7f0
  • 65c0c7c9fe6bc1d5296447aae6c6c14c
  • d972bbbb3edb0e5ab5751b911f3dda17
  • 146d350fd6271b4411714c630d8cda87
  • ff458208c49836cdec92f0a4a7ba6afd
  • 67a44a38cc36becd6e2e9c20c27fd9ad

Reported operators

Threat actors

1 named in public reporting
INC

“Akira and Lynx: … Lynx might be a rebrand of the INC ransomware group.”

MITRE ATT&CK

Lynx in ATT&CK

17 distinct techniques

Reporting

Research mentioning Lynx

Jul 8
Hisolutions Research

Die Perimeter-Schmelze | HiSolutions Research

SOCRadars Threat Research Unit fand einen Operator, der gleichzeitig in den Verhandlungspanels von INC Ransom und Lynx eingeloggt war – der belastbare Beweis, dass FortiBleed direkt in die Ransomware-Ökonomie einspeist.

Jul 3
Cyberveille

FortiBleed : vol massif de credentials Fortinet lié aux ransomwares INC et Lynx | CyberVeille

Des captures d’écran montrent des sessions navigateur actives sur ces panneaux, incluant des chats de négociation avec des victimes.

Jul 2
Security Week

FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks - SecurityWeek

FortiBleed, the large-scale credential-harvesting operation targeting organizations in 150 countries, has led to the deployment of INC Ransom and Lynx ransomware families, SOCRadar reports.

Jul 1
Socradar

SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations

STRU found an operator actively logged into the negotiation panels of both INC Ransom and Lynx ransomware, engaging directly with ransom demands.

Jul 1
Bleeping Computer

FortiBleed credential-theft campaign linked to Lynx ransomware

SOCRadar's Threat Research Unit latest research now ties the credential theft operation directly to members of the INC and Lynx ransomware-as-a-service (RaaS) groups.

Jun 24
Cyberandramen

INC Ransomware Targets Mainframes

The group claimed nearly 1,000 victims since its inception, and in 2024, the source code for both the Windows and Linux/ESXi encryptors were sold on underground forums. That sale gave rise to at least two families, Lynx and Sinobi, and introduced an attribution complexity that persist today.

Jun 19
Cyber Security News

INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks

Since the disruption of its source code seller in 2024, related ransomware families such as Lynx and Knoba emerged with significant code overlaps tied to INC.

Jun 19
Cysecurity News

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims - CySecurity News - Latest Information Security and Hacking Incidents

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.