What is Lynx ransomware?
In mid-2024, a new ransomware actor named Lynx emerged in the threat landscape. This Ransomware-as-a-Service (RaaS) strain is known to target organizations in the finance, architecture, and manufacturing sectors [1] [2]. However, Darktrace’s Threat Research teams also identified Lynx incidents affecting energy and retail organizations in the Middle East and Asia-Pacific (APAC) regions. Despite being a relatively new actor, Lynx’s malware shares large portions of its source code with the INC ransomware variant, suggesting that the group may have acquired and repurposed the readily available INC code to develop its own strain [2].
What techniques does Lynx ransomware group use?
Lynx employs several common attack vectors, including phishing emails which result in the download and installation of ransomware onto systems upon user interaction. The group poses a sophisticated double extortion threat to organizations, exfiltrating sensitive data prior to encryption [1]. This tactic allows threat actors to pressure their targets by threatening to release sensitive information publicly or sell it if the ransom is not paid. The group has also been known to gradually release small batches of sensitive information (i.e., “drip” data) to increase pressure.
Once executed, the malware encrypts files and appends the extension ‘.LYNX’ to all encrypted files. It eventually drops a Base64 encoded text file as a ransom note (i.e., README.txt) [1]. Should initial file encryption attempts fail, the operators have been known to employ privilege escalation techniques to ensure full impact [2].
In the Annual Threat Report 2024, Darktrace’s Threat Research team identified Lynx ransomware as one of the top five most significant threats, impacting both its customers and the broader threat landscape.
Darktrace Coverage of Lynx Ransomware
In cases of Lynx ransomware observed across the Darktrace customer base, Darktrace / NETWORK identified and suggested Autonomous Response actions to contain network compromises from the onset of activity.
Detection of lateral movement
One such Lynx compromise occurred in December 2024 when Darktrace observed multiple indicators of lateral movement on a customer network. The lateral movement activity started with a high volume of attempted binds to the service control endpoint of various destination devices, suggesting SMB file share enumeration. This activity also included repeated attempts to establish internal connections over destination port 445, as well as other privileged ports. Spikes in failed internal connectivity, such as those exhibited by the device in question, can indicate network scanning. Elements of the internal connectivity also suggested the use of the attack and reconnaissance tool, Nmap.
Indicators of compromised administrative credentials
Although an initial access point could not be confirmed, the widespread use of administrative credentials throughout the lateral movement process demonstrated the likely compromise of such privileged usernames and passwords. The operators of the malware frequently used both 'admin' and 'administrator' credentials throughout the incident, suggesting that attackers may have leveraged compromised default administrative credentials to gain access and escalate privileges. These credentials were observed on numerous devices across the network, triggering Darktrace models that detect unusual use of administrative usernames via methods like NTLM and Kerberos.
Data exfiltration
The lateral movement and reconnaissance behavior was then followed by unusual internal and external data transfers. One such device exhibited an unusual spike in internal data download activity, downloading around 150 GiB over port 3260 from internal network devices. The device then proceeded to upload large volumes of data to the external AWS S3 storage bucket: wt-prod-euwest1-storm.s3.eu-west-1.amazonaws[.]com. Usage of external cloud storage providers is a common tactic to avoid detection of exfiltration, given the added level of legitimacy afforded by cloud service provider domains.
Furthermore, Darktrace observed the device exhibiting behavior suggesting the use of the remote management tool AnyDesk when it made outbound TCP connections to hostnames such as:
relay-48ce591e[.]net[.]anydesk[.]com
relay-c9990d24[.]net[.]anydesk[.]com
relay-da1ad7b4[.]net[.]anydesk[.]com
Tools like AnyDesk can be used for legitimate administrative purposes. However, such tools are also commonly leveraged by threat actors to enable remote access and further compromise activity. The activity observed from the noted device during this time suggests the tool was used by the ransomware operators to advance their compromise goals.
The observed activity culminated in the encryption of thousands of files with the '.Lynx' extension. Darktrace detected devices performing uncommon SMB write and move operations on the drives of destination network devices, featuring the appending of the Lynx extension to local host files. Darktrace also identified similar levels of SMB read and write sizes originating from certain devices. Parallel volumes of SMB read and write activity strongly suggest encryption, as the malware opens, reads, and then encrypts local files on the hosted SMB disk share. This encryption activity frequently highlighted the use of the seemingly-default credential: "Administrator".
In this instance, Darktrace’s Autonomous Response capability was configured to only take action upon human confirmation, meaning the customer’s security team had to manually apply any suggested actions. Had the deployment been fully autonomous, Darktrace would have blocked connectivity to and from the affected devices, giving the customer additional time to contain the attack and enforce existing network behavior patterns while the IT team responded accordingly.
Conclusion
As reported by Darktrace’s Threat Research team in the Annual Threat Report 2024, both new and old ransomware strains were prominent across the threat landscape last year. Due to the continually improving security postures of organizations, ransomware actors are forced to constantly evolve and adopt new tactics to successfully carry out their attacks.
The Lynx group’s use of INC source code, for example, suggests a growing accessibility for threat actors to launch new ransomware strains based on existing code – reducing the cost, resources, and expertise required to build new malware and carry out an attack. This decreased barrier to entry will surely lead to an increased number of ransomware incidents, with attacks not being limited to experienced threat actors.
While Darktrace expects ransomware strains like Lynx to remain prominent in the threat landscape in 2025 and beyond, Darktrace’s ability to identify and respond to emerging ransomware incidents – as demonstrated here – ensures that customers can safeguard their networks and resume normal business operations as quickly as possible, even in an increasingly complex threat landscape.
Credit to Justin Torres (Senior Cyber Analyst) and Adam Potter (Senior Cyber Analyst).
[related-resource]
Appendices
References
1. https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
Autonomous Response Model Alerts
· Antigena::Network::Significant Anomaly::Antigena Alerts Over Time Block
· Antigena::Network::Insider Threat::Antigena Active Threat SMB Write Block
· Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block
· Antigena::Network::Significant Anomaly::Antigena Significant Anomaly from Client Block
· Antigena::Network::Insider Threat::Antigena Network Scan Block
· Antigena::Network::Insider Threat::Antigena Internal Anomalous File Activity
· Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Block
· Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Pattern of Life Block
· Antigena::Network::Insider Threat::Antigena Large Data Volume Outbound Block
Darktrace / NETWORK Model Alerts
· Device::Multiple Lateral Movement Model Alerts
· Device::Suspicious Network Scan Activity
· Anomalous File::Internal::Additional Extension Appended to SMB File
· Device::SMB Lateral Movement
· Compliance::SMB Drive Write
· Compromise::Ransomware::Suspicious SMB Activity
· Anomalous File::Internal::Unusual SMB Script Write
· Device::Network Scan
· Device::Suspicious SMB Scanning Activity
· Device::RDP Scan
· Unusual Activity::Anomalous SMB Move & Write
· Anomalous Connection::Sustained MIME Type Conversion
· Compromise::Ransomware::SMB Reads then Writes with Additional Extensions
· Unusual Activity::Sustained Anomalous SMB Activity
· Device::ICMP Address Scan
· Compromise::Ransomware::Ransom or Offensive Words Written to SMB
· Anomalous Connection::Suspicious Read Write Ratio
· Anomalous File::Internal::Masqueraded Executable SMB Write
· Compliance::Possible Unencrypted Password File On Server
· User::New Admin Credentials on Client
· Compliance::Remote Management Tool On Server
· User::New Admin Credentials on Server
· Anomalous Connection::Unusual Admin RDP Session
· Anomalous Connection::Download and Upload
· Anomalous Connection::Uncommon 1 GiB Outbound
· Unusual Activity::Unusual File Storage Data Transfer
List of IoCs
IoC - Type - Description + Confidence
- ‘. LYNX’ - File Extension - Lynx Ransomware file extension appended to encrypted files
MITRE ATT&CK Mapping
(Technique Name - Tactic - ID - Sub-Technique of)
Taint Shared Content - LATERAL MOVEMENT - T1080
Data Encrypted for - Impact - IMPACT T1486
Rename System Utilities - DEFENSE EVASION - T1036.003 - T1036
Get the latest insights on emerging cyber threats
This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.
.avif)
![PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/684068fac1b4368f672c17cc_Screenshot%202025-06-04%20at%208.40.32%E2%80%AFAM.png)
![PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6840694509d92b6220ccf5f1_Screenshot%202025-06-04%20at%208.41.48%E2%80%AFAM.png)
![Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/68406a1f723c9d6fda9c5268_Screenshot%202025-06-04%20at%208.45.23%E2%80%AFAM.png)
