Lynx Ransomware Strikes New Targets Unveiling Advanced Encryption Techniques
Threat Group: Lynx
Threat Type: Ransomware
Exploited Vulnerabilities: Targets file encryption vulnerabilities with privilege escalation techniques
Malware Used: Modified ransomware code derived from INC ransomware
Threat Score: High (8.2/10) — Due to advanced encryption techniques, privilege escalation methods, and cross-sector targeting
Last Threat Observation: October 3, 2024, by Rapid7 and Palo Alto Networks
Overview
Lynx ransomware is a relatively new but rapidly evolving cyber threat, first identified in July 2024. It is a rebranding of the previous INC ransomware, with substantial code overlaps. The group has claimed over 20 victims in various sectors, including finance, architecture, and manufacturing, employing both single and double extortion techniques. Despite its claims of ethical considerations, Lynx targets businesses indiscriminately, using aggressive methods to coerce ransom payments by threatening data leaks.
Key Details
- Delivery Method: Primarily delivered via phishing emails and malicious downloads.
- Target: Sectors like finance, manufacturing, architecture, and business services have been heavily targeted.
- Functions:
- Encrypts files using ECC and AES keys.
- Drops a ransom note (
README.txt
) in the form of Base64-encoded text. - Appends a
.LYNX
extension to all encrypted files. - Exfiltrates data and threatens its public release.
- Employs privilege escalation techniques if initial file encryption attempts fail.
- Obfuscation: Uses advanced encryption methods like curve25519 for secure data handling and SHA512 for hashing.
Attack Vectors
Lynx ransomware uses sophisticated methods to deliver its payload. It checks for write access to files and, upon failure, executes privilege escalation using SeTakeOwnershipPrivilege
to gain control over file security settings. It also employs the Restart Manager API to terminate processes that interfere with file encryption, ensuring minimal disruption to the system while avoiding the termination of critical processes.
Known Indicators of Compromise (IoCs)
- File Hash (MD5):
7e851829ee37bc0cf65a268d1d1baa7a
- IPv4 Addresses:
185[.]68[.]93[.]122
185[.]68[.]93[.]233
- Domains:
lynxback[.]pro
lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion
lynxblog[.]net
- Emails:
martina[dot]lestariid1898[at]proton[dot]me
gansbronz[at]gmail[dot]com
- Alienvault Source: OTX Alienvault Pulse
Mitigation and Prevention
- User Awareness: Conduct regular training on recognizing phishing emails and avoiding suspicious downloads.
- Email Filtering: Implement advanced email filtering solutions to block malicious attachments.
- Antivirus Protection: Use endpoint protection software capable of detecting ransomware patterns.
- Two-Factor Authentication (2FA): Mandate 2FA for all critical systems to reduce unauthorized access risks.
- Monitor Logs: Regularly review logs for unusual activity, especially around file permissions and process terminations.
- Regular Updates: Ensure all software and systems are patched with the latest security updates.
Podcast Discussion
Listen to our latest NotebookLM genertated podcast episode where we discuss Lynx ransomware, its implications, and expert advice on how to stay safe from this threat.
Conclusion
Lynx ransomware has proven to be a formidable threat, leveraging advanced encryption techniques, privilege escalation, and double extortion tactics. Organizations must remain vigilant and proactive, implementing robust security measures to protect against such sophisticated attacks.
Sources:
- Unit 42 by Palo Alto Networks - "Lynx Ransomware: A Rebranding of INC Ransomware"
- Nextron Systems - "In-Depth Analysis of Lynx Ransomware"
- Alienvault Pulse - "Lynx Ransomware: Initial Report"