Lynx ransomware, a more moderen ransomware-as-a-service (RaaS) that emerged round July could have stemmed from the INC Ransom supply code that was reportedly offered in Might, in keeping with a number of analyses of the Lynx pressure.
The Lynx gang maintains each clear internet and darkish internet leak websites and has claimed greater than 20 victims because it first appeared, in keeping with analyses by Nextron Techniques and Palo Alto Networks’ Unit 42, each printed this week.
Up to now, the RaaS group has claimed victims within the retail, actual property, structure, monetary companies and environmental companies in the USA and United Kingdom, Unit 42 reported, and claims on its web site that it doesn’t goal governmental organizations, hospitals or nonprofits.
Connections between Lynx and INC Ransom had been beforehand drawn by Rapid7, which first analyzed the ransomware in September. Each Rapid7 and Unit 42 carried out a binary diff evaluation on the Lynx and INC Ransom strains, which confirmed an general 48% similarity between the 2 variations, and a 70.8% similarity in features particularly.
Rapid7 opined that the comparability was “not sufficient to show totally that Lynx was derived from INC ransomware’s supply code,” whereas Unit 42 acknowledged the overlap in features “strongly means that the builders of Lynx ransomware have borrowed and repurposed a substantial portion of the INC codebase.”
INC Ransom’s supply code was purportedly placed on sale in Might for a value of $300,000, which included each Home windows and Linux/ESXi variations of the ransomware. INC Ransom, which first appeared in August 2023, has claimed at the least 64 victims and ceaselessly focused healthcare organizations, together with McLaren Well being Care and the Metropolis of Hope most cancers hospital operator and medical analysis group.
Whereas a Linux model of INC ransomware was included within the purported sale, no such model of the Lynx ransomware has but been found. Unit 42 reported discovering each Lynx and INC ransomware samples in July and August 2024, and Lynx samples solely in September 2024.
The Lynx ransomware itself incorporates a number of methods, together with termination of processes and companies containing phrases comparable to “sql,” “veeam,” “backup,” “java” and “trade,” privilege escalation by means of enabling of “SeTakeOwnershipPrivilege” on the present course of token, and deletion of shadow copies by means of DeviceIoControl, in keeping with Nextron.
The ransomware encrypts information utilizing AES-128 in CTR mode and Curve25519 Donna encryption algorithms, and in addition makes use of the Restart Supervisor API “RstrtMgr” to allow encryption of information which are presently in use or locked by different functions, Unit 42 studies. Encrypted information are given the file extension .lynx.
The Lynx ransom notes instructs victims to put in the Tor browser to contact the menace actors and offers addresses for the group’s darkish websites together with a sufferer ID that can be utilized to log in to the leak website.
One distinctive function of Lynx is that it features a operate to print the ransom observe on any printer linked to the compromised system, Nextron Techniques discovered. It first makes use of EnumPrintersW to retrieve a listing of linked printers, then makes use of StartDocPrinterW and StartPagePrinter to start out the printing course of for the ransom observe doc earlier than utilizing WritePrinter to finish the print.
