What is Lynx malware?

Lynx is Ransomware-as-a-Service (RaaS) with both single and double extortion strategies. It can encrypt files and exfiltrate sensitive data with the threat of further publishing it unless a ransom is paid. Files are encrypted with a ‘.lynx’ extension, backup files like shadow copies get deleted to prevent recovery.

Presumably descendant of INC ransomware (is based on its sold source code), it emerged in July, 2024.

Lynx encrypts files using AES-128 in CTR mode and Curve25519 Donna encryption algorithms. It uses the Restart Manager API “RstrtMgr” to encrypt files that are currently in use or locked by other applications.

It prints a ransom note on any printer connected to the compromised system.

Distributed via targeted pishing email campaigns, software vulnerabilities, infected ads and websites, it evades detection and analysis by a number of techniques. Lynx is customizable and can deliver additional payload.

Lynx malware technical details

• By default, aims to encrypt all the files in the infected system including network shares and drives. Customized as RaaS, can focus on specific folders or file types.
• Sensitive data gets exfiltrated via encrypted channels, such as HTTPS or custom protocols. Besides files, Lynx can steal credentials and screenshots.
• Deletes shadow copies used to restore data.
• Attempts to kill system processes and services using methods like the RestartManager. Specifically targets services that prevent encryption and facilitate backup.
• Exploits vulnerabilities to escalate privileges within the targeted system.
• Maintains communication with a C2 server, uses domain generation algorithms (DGA) to ensure reliable connections.
• Can deliver malware payload, such as ransomware or wipers, or act as a backdoor for subsequent attacks.
• Employs a number of advanced evasion mechanisms: code obfuscation, polymorphism, using stolen credentials to access system entities. Detects VMs, sandboxes, delays execution or modifies behavior to avoid analysis tools. Operates in-memory without writing files to the disk, reducing the chance of detection.

Lynx execution process

Collect Cyber Threat Intelligence on Lynx

Use Threat Intelligence Lookup from ANY.RUN to study IOCs and TTPs associated with Lynx and enforce your security framework against it. Search within a database of millions of malware analyses done in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can gather relevant data for further proactive measures.

Lynx malware distribution methods

• Spear-phishing email campaigns. Emails are crafted to appear legitimate and typically contain malicious attachments (e.g., Word documents, PDFs) or links to compromised websites.
• Exploiting vulnerabilities in unpatched software (operating systems, browsers, other applications), in popular document formats (e.g., macros in Microsoft Office files).
• Malvertising: code embedded in malicious ads on legitimate websites redirects victims to exploit kits.
• Supply Chain Attacks: compromises third-party software or libraries, distributing itself as part of trusted applications.

Conclusion

Lynx is a highly dangerous piece of ransomware aimed both at encrypting data and stealing it to do the most damage to the victim’s operations and reputation.

By default, Lynx is set to encrypt every file on the system. But as a RaaS, it is customizable via command-line arguments to precisely select files and directories to target.

It exploits various entry points into targeted networks and uses a number of anti-malware evasion techniques. Nevertheless, sophisticated tools like ANY.RUN’s Sandbox and Threat Intelligence Lookup successfully withstand Lynx’s defenses and allow security teams to study its behavior, get ready to detect it and protect against it.