Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Lynx

142
Global rank
145 infographic chevron month
Month rank
125 infographic chevron week
Week rank
0
IOCs

Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.

Ransomware
Type
Unknown
Origin
29 July, 2024
First seen
8 October, 2025
Last seen

How to analyze Lynx with ANY.RUN

Type
Unknown
Origin
29 July, 2024
First seen
8 October, 2025
Last seen

IOCs

IP addresses
95.142.116.1
154.12.242.58
176.105.224.132
Domains
akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion
lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion
lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion
lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion
lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion
lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion
gansbronzatgmail.com
lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion
lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion
lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion
lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 234
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 624
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3890
comments 0

What is Lynx malware?

Lynx is a ransomware-as-a-Service (RaaS) with both single and double extortion strategies. It can encrypt files and exfiltrate sensitive data with the threat of further publishing it unless a ransom is paid. Files are encrypted with a ‘.lynx’ extension, backup files like shadow copies get deleted to prevent recovery.

Presumably descendant of INC ransomware (is based on its sold source code), it emerged in July, 2024.

Lynx encrypts files using AES-128 in CTR mode and Curve25519 Donna encryption algorithms. It uses the Restart Manager API “RstrtMgr” to encrypt files that are currently in use or locked by other applications.

It prints a ransom note on any printer connected to the compromised system.

Lynx ransomware inside ANY.RUN Sandbox Lynx ransom note opened inside the ANY.RUN sandbox

Distributed via targeted pishing email campaigns, software vulnerabilities, infected ads and websites, it evades detection and analysis by a number of techniques. Lynx is customizable and can deliver additional payload.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Lynx malware technical details

  • By default, aims to encrypt all the files in the infected system including network shares and drives. Customized as RaaS, can focus on specific folders or file types.
  • Sensitive data gets exfiltrated via encrypted channels, such as HTTPS or custom protocols. Besides files, Lynx can steal credentials and screenshots.
  • Deletes shadow copies used to restore data.
  • Attempts to kill system processes and services using methods like the RestartManager. Specifically targets services that prevent encryption and facilitate backup.
  • Exploits vulnerabilities to escalate privileges within the targeted system.
  • Maintains communication with a C2 server, uses domain generation algorithms (DGA) to ensure reliable connections.
  • Can deliver malware payload, such as ransomware or wipers, or act as a backdoor for subsequent attacks.
  • Employs a number of advanced evasion mechanisms: code obfuscation, polymorphism, using stolen credentials to access system entities.
  • Detects VMs, sandboxes, delays execution or modifies behavior to avoid analysis tools.
  • Operates in-memory without writing files to the disk, reducing the chance of detection.

Lynx execution process

Lynx ransomware is a sophisticated malware variant renowned for its aggressive tactics and operational efficiency. Thanks to ANY.RUN's Interactive Sandbox, we can observe the malware's entire execution chain in a safe virtual environment.

Upon launching, Lynx parses any command-line arguments that dictate its behavior; if no arguments are provided, it defaults to encrypting all files on the system.

Lynx graph inside ANY.RUN Sandbox Lynx process graph displayed in the ANY.RUN sandbox

One of Lynx’s first actions is to terminate processes that could interfere with the encryption. It specifically targets backup and database-related applications — such as SQL, Veeam, Backup, Exchange, Java, and even Notepad — and iterates through these on its target list to stop them.

With potential obstacles removed, Lynx enumerates directories to identify files for encryption. To broaden its reach, it can mount hidden drives and network shares. It also hinders recovery efforts by deleting shadow copies and backup partitions, making it significantly more difficult for victims to restore data without paying the ransom.

Lynx process inside ANY.RUN Sandbox Lynx malicious process analysis in the ANY.RUN sandbox

The malware uses robust encryption techniques, generating unique keys for each file, and appends the .lynx extension to all encrypted files. It can encrypt mounted drives, shared folders, and specified network resources.

After the encryption phase, Lynx delivers a ransom note on the victim’s desktop by changing the wallpaper, dropping a text file containing the ransom note, and placing an XPS file with the same message. This note typically provides a link to a dark web portal for paying the ransom and communicating with the attackers. Furthermore, Lynx employs “double extortion,” threatening to leak sensitive data if the ransom is not paid. This tactic amplifies pressure on victims, making Lynx a particularly formidable threat.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Cyber Threat Intelligence on Lynx

Use Threat Intelligence Lookup from ANY.RUN to study IOCs and TTPs associated with Lynx and enforce your security framework against it. Search within a database of millions of malware analyses done in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can gather relevant data for further proactive measures.

Lynx results in ANY.RUN TI Lookup ANY.RUN’s sandbox sessions with Lynx found via Threat Intelligence Lookup

You can search directly by the threat name or use related clues like hash values or network connections. By entering a query like threatName:"lynx", you'll get a list of sandbox reports featuring the most recent analyses of Lynx samples. You can navigate to each report and explore it in detail to understand the malware's behavior and collect crucial threat intelligence.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Lynx malware distribution methods

  • Spear-phishing email campaigns. Emails are crafted to appear legitimate and typically contain malicious attachments (e.g., Word documents, PDFs) or links to compromised websites.
  • Exploiting vulnerabilities in unpatched software (operating systems, browsers, other applications), in popular document formats (e.g., macros in Microsoft Office files).
  • Malvertising: code embedded in malicious ads on legitimate websites redirects victims to exploit kits.
  • Supply Chain Attacks: compromises third-party software or libraries, distributing itself as part of trusted applications.

Conclusion

Lynx is a highly dangerous piece of ransomware aimed both at encrypting data and stealing it to do the most damage to the victim’s operations and reputation.

By default, Lynx is set to encrypt every file on the system. But as a RaaS, it is customizable via command-line arguments to precisely select files and directories to target.

It exploits various entry points into targeted networks and uses a number of anti-malware evasion techniques. Nevertheless, sophisticated tools like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup successfully withstand Lynx’s defenses and allow security teams to study its behavior, get ready to detect it and protect against it.

Sign up for a free ANY.RUN account to strengthen your security posture!

HAVE A LOOK AT

AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More