What is Lynx ransomware?

In mid-2024, a new ransomware actor named Lynx emerged in the threat landscape. This Ransomware-as-a-Service (RaaS) strain is known to target organizations in the finance, architecture, and manufacturing sectors [1] [2]. However, Darktrace’s Threat Research teams also identified Lynx incidents affecting energy and retail organizations in the Middle East and Asia-Pacific (APAC) regions. Despite being a relatively new actor, Lynx’s malware shares large portions of its source code with the INC ransomware variant, suggesting that the group may have acquired and repurposed the readily available INC code to develop its own strain [2].

What techniques does Lynx ransomware group use?

Lynx employs several common attack vectors, including phishing emails which result in the download and installation of ransomware onto systems upon user interaction. The group poses a sophisticated double extortion threat to organizations, exfiltrating sensitive data prior to encryption [1]. This tactic allows threat actors to pressure their targets by threatening to release sensitive information publicly or sell it if the ransom is not paid. The group has also been known to gradually release small batches of sensitive information (i.e., “drip” data) to increase pressure.

Once executed, the malware encrypts files and appends the extension ‘.LYNX’ to all encrypted files. It eventually drops a Base64 encoded text file as a ransom note (i.e., README.txt) [1]. Should initial file encryption attempts fail, the operators have been known to employ privilege escalation techniques to ensure full impact [2].

In the Annual Threat Report 2024, Darktrace’s Threat Research team identified Lynx ransomware as one of the top five most significant threats, impacting both its customers and the broader threat landscape.

Darktrace Coverage of Lynx Ransomware

In cases of Lynx ransomware observed across the Darktrace customer base, Darktrace / NETWORK identified and suggested Autonomous Response actions to contain network compromises from the onset of activity.  

Detection of lateral movement

One such Lynx compromise occurred in December 2024 when Darktrace observed multiple indicators of lateral movement on a customer network. The lateral movement activity started with a high volume of attempted binds to the service control endpoint of various destination devices, suggesting SMB file share enumeration. This activity also included repeated attempts to establish internal connections over destination port 445, as well as other privileged ports. Spikes in failed internal connectivity, such as those exhibited by the device in question, can indicate network scanning. Elements of the internal connectivity also suggested the use of the attack and reconnaissance tool, Nmap.

Indicators of compromised administrative credentials

Although an initial access point could not be confirmed, the widespread use of administrative credentials throughout the lateral movement process demonstrated the likely compromise of such privileged usernames and passwords. The operators of the malware frequently used both 'admin' and 'administrator' credentials throughout the incident, suggesting that attackers may have leveraged compromised default administrative credentials to gain access and escalate privileges. These credentials were observed on numerous devices across the network, triggering Darktrace models that detect unusual use of administrative usernames via methods like NTLM and Kerberos.

Data exfiltration

The lateral movement and reconnaissance behavior was then followed by unusual internal and external data transfers. One such device exhibited an unusual spike in internal data download activity, downloading around 150 GiB over port 3260 from internal network devices. The device then proceeded to upload large volumes of data to the external AWS S3 storage bucket: wt-prod-euwest1-storm.s3.eu-west-1.amazonaws[.]com. Usage of external cloud storage providers is a common tactic to avoid detection of exfiltration, given the added level of legitimacy afforded by cloud service provider domains.

Furthermore, Darktrace observed the device exhibiting behavior suggesting the use of the remote management tool AnyDesk when it made outbound TCP connections to hostnames such as:

relay-48ce591e[.]net[.]anydesk[.]com

relay-c9990d24[.]net[.]anydesk[.]com

relay-da1ad7b4[.]net[.]anydesk[.]com

Tools like AnyDesk can be used for legitimate administrative purposes. However, such tools are also commonly leveraged by threat actors to enable remote access and further compromise activity. The activity observed from the noted device during this time suggests the tool was used by the ransomware operators to advance their compromise goals.

The observed activity culminated in the encryption of thousands of files with the '.Lynx' extension. Darktrace detected devices performing uncommon SMB write and move operations on the drives of destination network devices, featuring the appending of the Lynx extension to local host files. Darktrace also identified similar levels of SMB read and write sizes originating from certain devices. Parallel volumes of SMB read and write activity strongly suggest encryption, as the malware opens, reads, and then encrypts local files on the hosted SMB disk share. This encryption activity frequently highlighted the use of the seemingly-default credential: "Administrator".

In this instance, Darktrace’s Autonomous Response capability was configured to only take action upon human confirmation, meaning the customer’s security team had to manually apply any suggested actions. Had the deployment been fully autonomous, Darktrace would have blocked connectivity to and from the affected devices, giving the customer additional time to contain the attack and enforce existing network behavior patterns while the IT team responded accordingly.

Conclusion

As reported by Darktrace’s Threat Research team in the Annual Threat Report 2024, both new and old ransomware strains were prominent across the threat landscape last year. Due to the continually improving security postures of organizations, ransomware actors are forced to constantly evolve and adopt new tactics to successfully carry out their attacks.

The Lynx group’s use of INC source code, for example, suggests a growing accessibility for threat actors to launch new ransomware strains based on existing code – reducing the cost, resources, and expertise required to build new malware and carry out an attack. This decreased barrier to entry will surely lead to an increased number of ransomware incidents, with attacks not being limited to experienced threat actors.

While Darktrace expects ransomware strains like Lynx to remain prominent in the threat landscape in 2025 and beyond, Darktrace’s ability to identify and respond to emerging ransomware incidents – as demonstrated here – ensures that customers can safeguard their networks and resume normal business operations as quickly as possible, even in an increasingly complex threat landscape.

Credit to Justin Torres (Senior Cyber Analyst) and Adam Potter (Senior Cyber Analyst).

Get the latest insights on emerging cyber threats

Attackers are adapting, are you ready? This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.

• Identity-based attacks: How attackers are bypassing traditional defenses
• Zero-day exploitation: The rise of previously unknown vulnerabilities
• AI-driven threats: How adversaries are leveraging AI to outmaneuver security controls

Stay ahead of evolving threats with expert analysis from Darktrace. Download the report here.

Appendices

References

1.     https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

2.     https://cybersecsentinel.com/lynx-ransomware-strikes-new-targets-unveiling-advanced-encryption-techniques/

Autonomous Response Model Alerts

·      Antigena::Network::Significant Anomaly::Antigena Alerts Over Time Block

·      Antigena::Network::Insider Threat::Antigena Active Threat SMB Write Block

·      Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block

·      Antigena::Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

·      Antigena::Network::Insider Threat::Antigena Network Scan Block

·      Antigena::Network::Insider Threat::Antigena Internal Anomalous File Activity

·      Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Block

·      Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Pattern of Life Block

·      Antigena::Network::Insider Threat::Antigena Large Data Volume Outbound Block

Darktrace / NETWORK Model Alerts

·      Device::Multiple Lateral Movement Model Alerts

·      Device::Suspicious Network Scan Activity

·      Anomalous File::Internal::Additional Extension Appended to SMB File

·      Device::SMB Lateral Movement

·      Compliance::SMB Drive Write

·      Compromise::Ransomware::Suspicious SMB Activity

·      Anomalous File::Internal::Unusual SMB Script Write

·      Device::Network Scan

·      Device::Suspicious SMB Scanning Activity

·      Device::RDP Scan

·      Unusual Activity::Anomalous SMB Move & Write

·      Anomalous Connection::Sustained MIME Type Conversion

·      Compromise::Ransomware::SMB Reads then Writes with Additional Extensions

·      Unusual Activity::Sustained Anomalous SMB Activity

·      Device::ICMP Address Scan

·      Compromise::Ransomware::Ransom or Offensive Words Written to SMB

·      Anomalous Connection::Suspicious Read Write Ratio

·      Anomalous File::Internal::Masqueraded Executable SMB Write

·      Compliance::Possible Unencrypted Password File On Server

·      User::New Admin Credentials on Client

·      Compliance::Remote Management Tool On Server

·      User::New Admin Credentials on Server

·      Anomalous Connection::Unusual Admin RDP Session

·      Anomalous Connection::Download and Upload

·      Anomalous Connection::Uncommon 1 GiB Outbound

·      Unusual Activity::Unusual File Storage Data Transfer

List of IoCs

IoC - Type - Description + Confidence

- ‘. LYNX’ -  File Extension -  Lynx Ransomware file extension appended to encrypted files

MITRE ATT&CK Mapping  

(Technique Name - Tactic - ID - Sub-Technique of)

Taint Shared Content - LATERAL MOVEMENT - T1080

Data Encrypted for - Impact - IMPACT T1486

Rename System Utilities - DEFENSE EVASION - T1036.003 - T1036

Thanks to its accessibility from anywhere with an internet connection and a web browser, Software-as-a-Service (SaaS) platforms have become nearly universal across organizations worldwide. However, with this growing popularity comes greater responsibility. Increased attention attracts a larger audience, including those who may seek to exploit these widely used services. One crucial factor to be vigilant about in the SaaS landscape is safeguarding internal credentials. Minimal protection on accounts can lead to SaaS hijacking, which could allow further escalations within the network.

How does SaaS account takeover work?

SaaS hijacking occurs when a malicious actor takes control of a user’s active session with a SaaS application. Attackers can achieve this through various methods, including employees using company credentials on compromised or spoofed external websites, brute-force attacks, social engineering, and exploiting outdated software or applications.

After the hijack, attackers may escalate their actions by changing email rules and using internal addresses for additional social engineering attacks. The larger goal of these actions is often to steal internal data, damage reputations, and disrupt operations.

Account takeover protection

It has become essential to have security tools capable of outsmarting potential malicious actors. Traditional tools that rely on rules and signatures may not be able to identify new events, such as logins or activities from a rare endpoint, unless they come from a known malicious source.

Darktrace relies on analysis of user and network behavior, tailored to each customer, allowing it to identify anomalous events that the user typically does not engage in. In this way, unusual SaaS activities can be detected, and unwanted actions can be halted to allow time for remediation before further escalations.

The following cases, drawn from the global customer base, illustrate how Darktrace detects potential SaaS hijack attempts and further escalations, and applies appropriate actions when necessary.

Case 1: Unusual login after a phishing email

A customer in the US received a suspicious email that seemed to be from the legitimate file storage service, Dropbox. However, Darktrace identified that the reply-to email address, hremployeepyaroll@mail[.]com, was masquerading as one associated with the customer’s Human Resources (HR) department.

Further inspection of this sender address revealed that the attacker had intentionally misspelled ‘payroll’ to trick recipients into believing it was legitimate

Furthermore, the subject of the email indicated that the attackers were attempting a social engineering attack by sharing a file related to pay raises and benefits to capture the recipients' attention and increase the likelihood of their targets engaging with the email and its attachment.

Unknowingly, the recipient, who believed the email to be a legitimate HR communication, acted on it, allowing malicious attackers to gain access to the account. Following this, the recipient’s account was observed logging in from a rare location using multi-factor authentication (MFA) while also being active from another more commonly observed location, indicating that the SaaS account had been compromised.

Darktrace subsequently observed the SaaS actor creating new inbox rules on the account. These rules were intended to mark as read and move any emails mentioning the file storage company, whether in the subject or body, to the ‘Conversation History’ folder. This was likely an attempt by the threat actor to hide any outgoing phishing emails or related correspondence from the legitimate account user, as the ‘Conversation History’ folder typically goes unread by most users.

Typically, Darktrace / EMAIL would have instantly placed the phishing email in the junk folder before they reached user’s inbox, while also locking the links identified in the suspicious email, preventing them from being accessed. Due to specific configurations within the customer’s deployment, this did not happen, and the email remained accessible to the user.

Case 2: Login using unusual credentials followed by password change

In the latter half of 2024, Darktrace detected an unusual use of credentials when a SaaS actor attempted to sign into a customer’s Microsoft 365 application from an unfamiliar IP address in the US. Darktrace recognized that since the customer was located within the Europe, Middle East, and Africa (EMEA) region, a login from the US was unexpected and suspicious. Around the same time, the legitimate account owner logged into the customer’s SaaS environment from another location – this time from a South African IP, which was commonly seen within the environment and used by other internal SaaS accounts.

Darktrace understood that this activity was highly suspicious and unlikely to be legitimate, given one of the IPs was known and expected, while the other had never been seen before in the environment, and the simultaneous logins from two distant locations were geographically impossible.

Darktrace detected several unusual login attempts, including a successful login from an uncommon US source. Subsequently, Darktrace / NETWORK identified the device associated with this user making external connections to rare endpoints, some of which were only two weeks old. As this customer had integrated Darktrace with Microsoft Defender, the Darktrace detection was enriched by Defender, adding the additional context that the user had likely been compromised in an Adversary-in-the-Middle (AiTM) phishing attack. AiTM phishing attacks occur when a malicious attacker intercepts communications between a user and a legitimate authentication service, potentially leading to account hijacking. These attacks are harder to identify as they can bypass security measures like MFA.

Following this, Darktrace observed the attacker using the now compromised credentials to access password management and change the account's password. Such behavior is common in account takeover incidents, as attackers seek to maintain persistence within the SaaS environment.

While Darktrace’s Autonomous Response was not fully configured on the customer’s SaaS environment, they were subscribed to the Managed Threat Detection service offered by Darktrace’s Security Operations Center (SOC). This 24/7 service ensures that Darktrace’s analysts monitor and investigate emerging suspicious activity, informing customers in real-time. As such, the customer received notification of the compromise and were able to quickly take action to prevent further escalation.

Case 3: Unusual logins, new email rules and outbound spam

Recently, Darktrace has observed a trend in SaaS compromises involving unusual logins, followed by the creation of new email rules, and then outbound spam or phishing campaigns being launched from these accounts.

In October, Darktrace identified a SaaS user receiving an email with the subject line "Re: COMPANY NAME Request for Documents" from an unknown sender using a freemail  account. As freemail addresses require very little personal information to create, threat actors can easily create multiple accounts for malicious purposes while retaining their anonymity.

Within the identified email, Darktrace found file storage links that were likely intended to divert recipients to fraudulent or malicious websites upon interaction. A few minutes after the email was received, the recipient was seen logging in from three different sources located in the US, UK, and the Philippines, all around a similar time. As the customer was based in the Philippines, a login from there was expected and not unusual. However, Darktrace understood that the logins from the UK and US were highly unusual, and no other SaaS accounts had connected from these locations within the same week.

After successfully logging in from the UK, the actor was observed updating a mailbox rule, renaming it to ‘.’ and changing its parameters to move any inbound emails to the deleted items folder and mark them as read.

Malicious actors often use ambiguous names like punctuation marks, repetitive letters, and unreadable words to name resources, disguising their rules to avoid detection by legitimate users or administrators. Similarly, attackers have been known to adjust existing rule parameters rather than creating new rules to keep their footprints untracked. In this case, the rule was updated to override an existing email rule and delete all incoming emails. This ensured that any inbound emails, including responses to potential phishing emails sent by the account, would be deleted, allowing the attacker to remain undetected.

Over the next two days, additional login attempts, both successful and failed, were observed from locations in the UK and the Philippines. Darktrace noted multiple logins from the Philippines where the legitimate user was attempting to access their account using a password that had recently expired or been changed, indicating that the attacker had altered the user’s original password as well.

Following this chain of events, over 500 emails titled “Reminder For Document Signed Agreement.10/28/2024” were sent from the SaaS actor’s account to external recipients, all belonging to a different organization within the Philippines.

These emails contained rare attachments with a ‘.htm’ extension, which included programming language that could initiate harmful processes on devices. While inherently not malicious, if used inappropriately, these files could perform unwanted actions such as code execution, malware downloads, redirects to malicious webpages, or phishing upon opening.

As this customer did not have Autonomous Response enabled for Darktrace / IDENTITY, the unusual activity went unattended, and the compromise was able to escalate to the point of a spam email campaign being launched from the account.

In a similar example on a customer network in EMEA, Darktrace detected unusual logins and the creation of new email rules from a foreign location through a SaaS account. However, in this instance, Autonomous Response was enabled and automatically disabled the compromised account, preventing further malicious activity and giving the customer valuable time to implement their own remediation measures.

Conclusion

Whether it is an unexpected login or an unusual sequence of events – such as a login followed by a phishing email being sent – unauthorized or unexpected activities can pose a significant risk to an organization’s SaaS environment. The threat becomes even greater when these activities escalate to account hijacking, with the compromised account potentially providing attackers access to sensitive corporate data. Organizations, therefore, must have robust SaaS security measures in place to prevent data theft, ensure compliance and maintain continuity and trust.

The Darktrace suite of products is well placed to detect and contain SaaS hijack attempts at multiple stages of an attack. Darktrace / EMAIL identifies initial phishing emails that attackers use to gain access to customer SaaS environments, while Darktrace / IDENTITY detects anomalous SaaS behavior on user accounts which could indicate they have been taken over by a malicious actor.

By identifying these threats in a timely manner and taking proactive mitigative measures, such as logging or disabling compromised accounts, Darktrace prevents escalation and ensures customers have sufficient time to response effectively.

Credit to Min Kim (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections Case 1

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and New Email Rule

SaaS / Compliance / Anomalous New Email Rule

SaaS / Unusual Activity / Multiple Unusual SaaS Activities

SaaS / Access / Unusual External Source for SaaS Credential Us

SaaS / Compromise / Login From Rare Endpoint While User is Active

SaaS / Email Nexus / Unusual Login Location Following Link to File Storage

Antigena / SaaS / Antigena Email Rule Block (Autonomous Response)

Antigena / SaaS / Antigena Suspicious SaaS Activity Block (Autonomous Response)

Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block (Autonomous Response)

List of Indicators of Compromise (IoCs)

176.105.224[.]132 – IP address – Unusual SaaS Activity Source

hremployeepyaroll@mail[.]com – Email address – Reply-to email address

MITRE ATT&CK Mapping

Cloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078

Outlook Rules – PERSISTENCE – T1137

Cloud Service Dashboard – DISCOVERY – T1538

Compromise Accounts – RESOURCE DEVELOPMENT – T1586

Steal Web Session Cookie – CREDENTIAL ACCESS – T1539

Darktrace Model Detections Case 2

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and Account Update

Security Integration / High Severity Integration Detection

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compromise / Login From Rare Endpoint While User Is Active

SaaS / Compromise / Login from Rare High Risk Endpoint

SaaS / Access / M365 High Risk Level Login

Antigena / SaaS / Antigena Suspicious SaaS Activity Block (Autonomous Response)

Antigena / SaaS / Antigena Enhanced Monitoring from SaaS user Block (Autonomous Response)

List of IoCs

74.207.252[.]129 – IP Address – Suspicious SaaS Activity Source

MITRE ATT&CK Mapping

Cloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078

Cloud Service Dashboard – DISCOVERY – T1538

Compromise Accounts – RESOURCE DEVELOPMENT – T1586

Steal Web Session Cookie – CREDENTIAL ACCESS – T1539

Darktrace Model Detections Case 3

SaaS / Compromise / Unusual Login and Outbound Email Spam

SaaS / Compromise / New Email Rule and Unusual Email Activity

SaaS / Compromise / Unusual Login and New Email Rule

SaaS / Email Nexus / Unusual Login Location Following Sender Spoof

SaaS / Email Nexus / Unusual Login Location Following Link to File Storage

SaaS / Email Nexus / Possible Outbound Email Spam

SaaS / Unusual Activity / Multiple Unusual SaaS Activities

SaaS / Email Nexus / Suspicious Internal Exchange Activity

SaaS / Compliance / Anomalous New Email Rule

List of IoCs

95.142.116[.]1 – IP Address – Suspicious SaaS Activity Source

154.12.242[.]58 – IP Address – Unusual Source

MITRE ATT&CK Mapping

Cloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078

Compromise Accounts – RESOURCE DEVELOPMENT – T1586

Email Accounts – RESOURCE DEVELOPMENT – T1585

Phishing – INITIAL ACCESS – T1566

Outlook Rules – PERSISTENCE – T1137

Internal Spear phishing – LATERAL MOVEMENT - T1534