Dark Web Profile: Lynx Ransomware

Lynx is a ransomware group that appeared in mid-2024 and is widely believed to be a rebrand of the INC ransomware operation. The group follows a Ransomware-as-a-Service (RaaS) model, providing affiliates with encryption tools, leak site access, and operational support.

Since its emergence, Lynx has claimed approximately 300 victims. With a structured affiliate program and an evolving toolkit, the group has established itself as a steady presence in the ransomware ecosystem.

Lynx Ransowmare’s logo

Who is Lynx Ransomware?

Operating under a Ransomware-as-a-Service (RaaS) model, Lynx provides affiliates with access to its platform, enabling them to launch attacks and manage victims through structured support. The group employs double extortion tactics and advanced encryption methods, reflecting a level of organization and technical capability that has quickly established it as a major player in the ransomware ecosystem.

Threat actor card of Lynx Ransomware

Analysis of malware samples shows that Lynx shares large portions of its source code with INC, suggesting that the group either acquired or repurposed the original code to create its own strain.

Alleged sale of INC Ransomware’s source code

The INC’s source code circulated on Dark Web forums, which may have facilitated Lynx’s development as a more advanced variant.

Dark Web Profile: INC Ransom

When the group emerged an analysis showed a strong overlap between Lynx and the earlier INC ransomware family. Roughly half of Lynx’s functions align with INC, while the overlap in the Linux ESXi variant is even greater. This strongly indicates that Lynx’s developers either bought or repurposed the INC source code.

What Are Lynx Ransomware’s Targets?

Lynx emerged in mid-2024. By September of that year, security reports had already identified over 20 victims. In just a few months, the strain gained traction and began scaling quickly. By early 2025, the group had tallied at least 42 known attacks. Over the next few months, activity continued to rise steadily. By August 2025, Lynx had amassed nearly 300 victims.

The most targeted countries by Lynx Ransomware

Geographically, Lynx shows a clear concentration of attacks in the United States, which represents the majority of confirmed victims. Other heavily affected countries include the United Kingdom, Canada, Australia, and Germany, with additional incidents reported across Europe, Asia-Pacific, the Middle East, Africa, and Latin America.

Targeted countries by Lynx Ransomware (created with mapchart)

From an industry perspective, Manufacturing stands out as the most targeted sector, followed closely by Business Services, Technology, and Transportation. Energy, Agriculture, and Tourism have also been affected, along with smaller numbers of victims in Construction, Finance, and Healthcare.

The most targeted industries by Lynx Ransomware

These patterns highlight Lynx’s focus on industries with critical operations and broad attack surfaces, while still demonstrating opportunistic targeting across a variety of sectors.

What Are Lynx Ransomware’s Techniques?

As a RaaS operation, Lynx does not rely on a single entry point. Affiliates adapt their methods, but two techniques dominate: stolen credentials and phishing attacks. Credentials are often bought on Dark Web markets or harvested from infostealer logs, giving attackers direct access to RDP, VPNs, or email systems.

Lynx Ransomware ‘’Press Release”

Phishing emails remain another popular route, luring users into opening weaponized attachments or entering credentials on fake portals. In some cases, affiliates also turn to malicious downloads or buy ready-made access from initial access brokers.

Lynx Ransomware’s data leak site, victim announcements

Like many ransomware groups, Lynx practices double extortion. Data is exfiltrated before encryption, giving the attackers leverage to threaten leaks if payment is refused. The stolen information is then published on the group’s dedicated data leak site, which includes sections for news, leaks, and victim reports. Lynx publicly states it avoids targeting governments, healthcare, and non-profits, though commercial enterprises remain frequent victims.

Technical Capabilities

According to researchers, Lynx employs cryptography, combining AES-128 in CTR mode with Curve25519 Donna, and appends a .lynx extension to encrypted files. The malware can:

• Terminate services and processes, including backup and database tools
• Encrypt local and network drives
• Mount hidden volumes
• Delete shadow copies to block recovery
• Use the Windows Restart Manager API to encrypt files in use

Both Windows and Linux builds are available, including versions designed for ESXi and multiple Linux architectures. The Linux strain can stop virtual machines and remove snapshots, amplifying impact in virtualized environments.

Affiliate Program & Panel

Lynx operates as a Ransomware-as-a-Service (RaaS). Recruitment posts on ransomware forum, RAMP, invited penetration testing teams, offering an 80/20 profit split in favor of affiliates. The affiliate panel provides extensive functionality, including victim management, dedicated negotiation chats, publication scheduling for leaks, and archives of pre-built binaries covering Windows, Linux, and even niche architectures. Panel “news” updates also distribute infrastructure mirrors to ensure continued access if domains are disrupted.

What Are the Mitigation Tactics Against Lynx Ransomware?

Lynx operates under a RaaS model, which means its techniques vary depending on the affiliates. Defenses should therefore focus on the most common access points and the tactics seen in similar incidents.

Harden Entry Points
Since stolen credentials and phishing remain the primary routes of compromise, organizations should enforce multi-factor authentication on all external services and monitor for leaked credentials. Phishing resilience can be improved with a mix of filtering tools and user awareness programs.

Limit the Blast Radius
Applying strict access controls and network segmentation helps contain an intrusion before it spreads. Backup systems must be isolated from production networks so they cannot be encrypted during an attack.

Detect Early Signs
Endpoint and network monitoring should be tuned to look for behaviors consistent with Lynx and similar ransomware families: unusual privilege escalation, shadow copy deletion, or attempts to stop backup and database processes. Early detection provides the best chance of stopping the encryption phase.

Prepare for Double Extortion
Because Lynx exfiltrates data before encryption, defenses must also cover data governance. Encrypting sensitive files at rest, monitoring outbound traffic, and restricting unnecessary data flows reduce the value of stolen data.

Plan and Rehearse Response
An incident response plan tailored to ransomware is essential. Teams should rehearse containment, negotiation decisions, and communication steps. Being prepared limits downtime and prevents rushed decisions under pressure.

How Can SOCRadar Help?

SOCRadar provides organizations with the intelligence and visibility needed to defend against groups like Lynx. SOCRadar helps security teams anticipate ransomware tactics, reduce exposure, and respond quickly if targeted.

Cyber Threat Intelligence (CTI)

SOCRadar’s CTI module delivers real-time insights from Dark Web forums, ransomware leak sites, and breach data. It enables:

• Threat hunting and tracking of affiliates linked to Lynx and similar RaaS operations
• Monitoring of stolen credentials, infostealer logs, and access sales
• Tactical and operational intelligence that highlights attacker techniques, infrastructure, and tools

SOCRadar, Vulnerability Intelligence

Attack Surface Management (ASM)

Affiliates often exploit exposed services or forgotten assets. SOCRadar’s ASM module provides the “attacker’s view” of your environment by:

• Discovering unpatched systems, open ports, and misconfigured services that could be leveraged for entry
• Continuously monitoring DNS, SSL/TLS, and cloud-facing applications
• Prioritizing vulnerabilities most likely to be exploited by ransomware groups

SOCRadar Attack Surface Management

Brand Protection & Dark Web Monitoring

Lynx uses double extortion and leak sites to pressure victims. SOCRadar’s monitoring tools can:

• Detect stolen data and mentions of your brand on Dark Web markets, forums, and ransomware blogs
• Flag phishing domains and fake portals designed to harvest credentials
• Identify underground sales of compromised corporate information before they are weaponized

SOCRadar, Dark Web Monitoring

What Are the MITRE ATT&CK TTPs of Lynx Ransomware?