Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Lynx

124
Global rank
53 infographic chevron month
Month rank
66 infographic chevron week
Week rank
0
IOCs

Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.

Ransomware
Type
Unknown
Origin
29 July, 2024
First seen
12 March, 2025
Last seen

How to analyze Lynx with ANY.RUN

Type
Unknown
Origin
29 July, 2024
First seen
12 March, 2025
Last seen

IOCs

IP addresses
95.142.116.1
154.12.242.58
176.105.224.132
Domains
mailboxdownload.com
document.hometowncity.cloud
pweobmxdlboi.com
lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion
lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion
lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion
lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion
lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion
gansbronzatgmail.com
lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion
lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion
lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion
lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion
lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion
lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion
lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion
lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion
lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion
lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion
lynxblog.net
Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 290
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 383
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 551
comments 0

What is Lynx malware?

Lynx is a ransomware-as-a-Service (RaaS) with both single and double extortion strategies. It can encrypt files and exfiltrate sensitive data with the threat of further publishing it unless a ransom is paid. Files are encrypted with a ‘.lynx’ extension, backup files like shadow copies get deleted to prevent recovery.

Presumably descendant of INC ransomware (is based on its sold source code), it emerged in July, 2024.

Lynx encrypts files using AES-128 in CTR mode and Curve25519 Donna encryption algorithms. It uses the Restart Manager API “RstrtMgr” to encrypt files that are currently in use or locked by other applications.

It prints a ransom note on any printer connected to the compromised system.

Lynx ransomware inside ANY.RUN Sandbox Lynx ransom note opened inside the ANY.RUN sandbox

Distributed via targeted pishing email campaigns, software vulnerabilities, infected ads and websites, it evades detection and analysis by a number of techniques. Lynx is customizable and can deliver additional payload.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Lynx malware technical details

  • By default, aims to encrypt all the files in the infected system including network shares and drives. Customized as RaaS, can focus on specific folders or file types.
  • Sensitive data gets exfiltrated via encrypted channels, such as HTTPS or custom protocols. Besides files, Lynx can steal credentials and screenshots.
  • Deletes shadow copies used to restore data.
  • Attempts to kill system processes and services using methods like the RestartManager. Specifically targets services that prevent encryption and facilitate backup.
  • Exploits vulnerabilities to escalate privileges within the targeted system.
  • Maintains communication with a C2 server, uses domain generation algorithms (DGA) to ensure reliable connections.
  • Can deliver malware payload, such as ransomware or wipers, or act as a backdoor for subsequent attacks.
  • Employs a number of advanced evasion mechanisms: code obfuscation, polymorphism, using stolen credentials to access system entities.
  • Detects VMs, sandboxes, delays execution or modifies behavior to avoid analysis tools.
  • Operates in-memory without writing files to the disk, reducing the chance of detection.

Lynx execution process

Lynx ransomware is a sophisticated malware variant renowned for its aggressive tactics and operational efficiency. Thanks to ANY.RUN's Interactive Sandbox, we can observe the malware's entire execution chain in a safe virtual environment.

Upon launching, Lynx parses any command-line arguments that dictate its behavior; if no arguments are provided, it defaults to encrypting all files on the system.

Lynx graph inside ANY.RUN Sandbox Lynx process graph displayed in the ANY.RUN sandbox

One of Lynx’s first actions is to terminate processes that could interfere with the encryption. It specifically targets backup and database-related applications — such as SQL, Veeam, Backup, Exchange, Java, and even Notepad — and iterates through these on its target list to stop them.

With potential obstacles removed, Lynx enumerates directories to identify files for encryption. To broaden its reach, it can mount hidden drives and network shares. It also hinders recovery efforts by deleting shadow copies and backup partitions, making it significantly more difficult for victims to restore data without paying the ransom.

Lynx process inside ANY.RUN Sandbox Lynx malicious process analysis in the ANY.RUN sandbox

The malware uses robust encryption techniques, generating unique keys for each file, and appends the .lynx extension to all encrypted files. It can encrypt mounted drives, shared folders, and specified network resources.

After the encryption phase, Lynx delivers a ransom note on the victim’s desktop by changing the wallpaper, dropping a text file containing the ransom note, and placing an XPS file with the same message. This note typically provides a link to a dark web portal for paying the ransom and communicating with the attackers. Furthermore, Lynx employs “double extortion,” threatening to leak sensitive data if the ransom is not paid. This tactic amplifies pressure on victims, making Lynx a particularly formidable threat.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Cyber Threat Intelligence on Lynx

Use Threat Intelligence Lookup from ANY.RUN to study IOCs and TTPs associated with Lynx and enforce your security framework against it. Search within a database of millions of malware analyses done in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can gather relevant data for further proactive measures.

Lynx results in ANY.RUN TI Lookup ANY.RUN’s sandbox sessions with Lynx found via Threat Intelligence Lookup

You can search directly by the threat name or use related clues like hash values or network connections. By entering a query like threatName:"lynx", you'll get a list of sandbox reports featuring the most recent analyses of Lynx samples. You can navigate to each report and explore it in detail to understand the malware's behavior and collect crucial threat intelligence.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Lynx malware distribution methods

  • Spear-phishing email campaigns. Emails are crafted to appear legitimate and typically contain malicious attachments (e.g., Word documents, PDFs) or links to compromised websites.
  • Exploiting vulnerabilities in unpatched software (operating systems, browsers, other applications), in popular document formats (e.g., macros in Microsoft Office files).
  • Malvertising: code embedded in malicious ads on legitimate websites redirects victims to exploit kits.
  • Supply Chain Attacks: compromises third-party software or libraries, distributing itself as part of trusted applications.

Conclusion

Lynx is a highly dangerous piece of ransomware aimed both at encrypting data and stealing it to do the most damage to the victim’s operations and reputation.

By default, Lynx is set to encrypt every file on the system. But as a RaaS, it is customizable via command-line arguments to precisely select files and directories to target.

It exploits various entry points into targeted networks and uses a number of anti-malware evasion techniques. Nevertheless, sophisticated tools like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup successfully withstand Lynx’s defenses and allow security teams to study its behavior, get ready to detect it and protect against it.

Sign up for a free ANY.RUN account to strengthen your security posture!

HAVE A LOOK AT

Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Akira Ransomware screenshot
Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.
Read More