Related Families: INC
Verticals Targeted: Legal Services, Retail, Finance, Telecommunications, Agriculture, Manufacturing, Construction, Transportation, Healthcare, Energy
Executive Summary
Lynx ransomware is a ransomware-as-a-service (RaaS) that was first observed in July 2024. Since its debut, the ransomware has gained momentum and has continued its activity into early 2025.
Key Takeaways
- Lynx ransomware is a ransomware-as-a-service (RaaS) that was first observed in July 2024.
- Lynx, which is capable of targeting Windows, Linux, and ESXi environments, is most often delivered via phishing.
- Lynx relies on Curve25519 Donna and AES-128 for encryption and has customizable encryption modes.
- Due to its momentum and sophisticated affiliate program, PolySwarm analysts consider Lynx ransomware to be an emerging threat.
What is Lynx Ransomware?
Lynx ransomware is a ransomware-as-a-service (RaaS) that was first observed in July 2024. Since its debut, the ransomware has gained momentum, with a 900% increase in victims from July to August 2024. Lynx has continued its activity into early 2025. Group-IB recently reported on Lynx ransomware.
Lynx, which is capable of targeting Windows, Linux, and ESXi environments, is most often delivered via phishing. Lynx has customizable encryption modes, allowing affiliates to choose between “fast”, “medium”, “slow”, and “entire” options for file encryption. This allows threat actors to prioritize speed or thoroughness when encrypting victim files. Some industry sources indicate Lynx may have purchased its source code from INC ransomware.
Lynx relies on Curve25519 Donna and AES-128 for encryption. When Lynx encrypts a victim’s files, it appends the .LYNX extension to the file name. It also drops a ransom note, demanding ransom to decrypt the files. Like many ransomware families, Lynx has a dedicated leaks site. The threat actors behind Lynx use a double extortion model, threatening to leak stolen information if the ransom is not paid.
According to Group-IB, Lynx has a sophisticated affiliate program. Lynx is known for using underground forums to recruit affiliates and is known to prioritize security and quality control. Lynx uses an intricate affiliate panel that includes sections for news, companies, chats, stuffers, and leaks. Lynx gives affiliates the option to configure victim profiles, generate custom ransomware samples, and manage data leak schedules using the interface. Affiliates are reportedly given an 80% share of the ransom proceeds. It is interesting to note that Lynx also offers “call centers" that can be used to harass victims and advanced storage options for profitable affiliates.
Lynx’s victims have included entities in the legal services, retail, finance, telecommunications, agriculture, manufacturing, construction, transportation, healthcare, and energy sectors, among others. Targets have included entities in the US, UK, France, Canada, Turkey, Costa Rica, Italy, China, GCC, Cape Verde, Dominican Republic, Belgium, Argentina, Australia, India, Singapore, and Luxembourg. Due to its momentum and sophisticated affiliate program, PolySwarm analysts consider Lynx ransomware to be an emerging threat.
IOCs
PolySwarm has multiple samples of Lynx.
80908a51e403efd47b1d3689c3fb9447d3fb962d691d856b8b97581eefc0c441
80fd105d0685b85c1be5d5d3af63608d2ec91b186d4c591416934fe454770ca1
3e68e5742f998c5ba34c2130b2d89ca2a6c048feb6474bc81ff000e1eaed044e
97c8f54d70e300c7d7e973c4b211da3c64c0f1c95770f663e04e35421dfb2ba0
468e3c2cb5b0bbc3004bbf5272f4ece5c979625f7623e6d71af5dc0929b89d6a
432f549e9a2a76237133e9fe9b11fbb3d1a7e09904db5ccace29918e948529c6
4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412
9a47ab27d50df1faba1dc5777bdcfff576524424bc4a3364d33267bbcf8a3896
31de5a766dca4eaae7b69f807ec06ae14d2ac48100e06a30e17cc9acccfd5193
589ff3a5741336fa7c98dbcef4e8aecea347ea0f349b9949c6a5f6cd9d821a23
d5ca3e0e25d768769e4afda209aca1f563768dae79571a38e3070428f8adf031
85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683
b378b7ef0f906358eec595777a50f9bb5cc7bb6635e0f031d65b818a26bdc4ee
ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49
571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b
eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
You can use the following CLI command to search for all Lynx samples in our portal:
$ polyswarm link list -f Lynx
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
