lynx
Ransomware group profile
158Victims
RussiaSource country
83Impact score
Also Known As
Lynx Locker
Description
Lynx is a ransomware threat group primarily targeting critical infrastructure sectors such as energy, oil, and gas facilities in the United States. Utilizing tactics like phishing and exploiting known vulnerabilities, they employ double extortion methods to demand ransom while threatening to leak sensitive data. Their organized Ransomware-as-a-Service (RaaS) model enhances their operational capabilities through a structured affiliate program.
Key insights
- •Targets critical infrastructure, especially energy, oil, and gas sectors.
- •Employs phishing and exploits vulnerabilities for initial access.
- •Utilizes a Ransomware-as-a-Service model with a structured affiliate program.
- •Implements double extortion tactics by threatening to leak stolen data.
- •Uses advanced encryption methods including AES-128 and Curve25519.
- •Claims to avoid healthcare and government sectors but impacts them nonetheless.
Threat Level & Status Breakdown
For lynx · Based on incidents in selected period
2.4threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality2.1/ 10
Status Breakdown
Data Leaked0.6%1
Claimed99.4%157
First seenJun 2025
Last seenMay 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 2, 2026
Recent activity
Monthly attack count for lynx in the selected period
158Total attacks
26peak in Jan
13.2avg / month
↓ 11 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for lynx
- 6cb54ec004ff8b311e73ef8a8f69b8dd043b7b84c5499f4c6d79d462cea941d8
- 4fde7b67da86fdd1587f78254acf9cd6766a7d77
- 72231dc69a71f3ac971fa335dc79a04569dd7a09
- 0336d6a2348ce826be1f8e4b35bf99c2756cc9efed7be94692beffa13bb0b604
- a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642
- a875f9b3c1f31835b3f70c23a8a1daa06404b82d61887d035731eb13f649c0db
- b175e1d4fe69da0be4db63996a804b204005923aabeedd9c02b615ea04986303
- 842f01180f2a021aae47f5c0e6865847985691d28919554c81d01f162afb4e43
- 254b7cca40f9e624b21841f60bff0919
- f5a8ceb27bea2b49cc0c38da3b9007efc12db19e
- 1531f13142fc0ebfb7b406d99a02ec6441fc9e40725fe2d2ac11119780995cd3
- 02e3c74a99cb7ade79eb879ed1513b5ed410eec981ce02bb0a7c2d6d654e0309
- 036a60aa2c62c8a9be89a2060e4300476aef1af2fd4d3dd8cac1bb286c520959
- e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3
- e6f76a73180b4f2947764f4de57b52d037b482ece1a88dab9d3290e76be8c098
- 060eb4ce798e9e2470f4a36139c5c03c0bfacf0a611199b056280efc290f5861
- fb1a21da08c9dc28c1cb855dce893e9c
- 0ba46a3bda93f50a567887e2c6df97663bf290352654dbf103236d3f6ab0bfab
- aa99338898c90e38e24c0e45ca891e25d468241d4fdba7108773ae1506c8cafb
- 4c15a5914d399a97dce2cf6452b991e5848f1f712397e9ff8381bd5cd3b8c9c0
- 86372ac72add0002b9f8028e3a62410312aa8fe4
- d0724e2613107953ee2f8e941ca917658bb51f8f6b753a0552f8a407abf2b840
- 7916a7366c35d5f6be9e5a114b104865b78ff68c4c4fec2a081c6fcfb6809fd2
- 9afe896bfb6dcdf30b18d7f9330212a28358255cc08f7365d18aee2030530483
- d96e8f2d53180c2003f5422cb2691aa28bfe039b
- 667d7bd97fbbf9cb9bc37771040352e16776d7c900c68b14168b3c49a0a3c321
- f8dca20f0394e6c11a9bd8b9706e1dd9bca8f8f72d4edff36fbf311b0f40a610
- deea481121129d4779195e93fdc39ae62fecb168fd5a384d0ccf8082f06092e5
- 4c8cf7e19f636f8fcb23e30bb5010c2f57901f06e92b93277e962bb2c46d0714
- 565031eaffb9b309737c04e9b6c6f865
- 89d84ab72b2e5116f4a46b19f4d8096a0a9c7a88
- b6a61df3254bda3056900937e3e162ddeec3239bc5e1ac3488cef9aafbda21e4
- abe8e7db84be416f0a76e5cb12d5c15cfea879ba0ba376db29458a8d8bb902d3
- d5febfdd239fd1d05e0c29d3bacfb880279f2d19
- 55d9836dddac73e611cf7bfac7d2066cc0961e05337d1f91837680e4c57b8816
- d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
- b3b970ba2a434ca224efafe05aad1d06
- 97969978799100c7be211b9bf8a152bbd826ba6cb55377284537b381a4814216
- 7e68880f4c8c635942b34f7119656c91f5c83183
- a20886a5b378624d16972db66bd4e7e1
- 5d4bb9ad0d2ad9d45017273cc6d0a691219be3cdc819fde0a712bb5bac0c4bff
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for lynx
CVE-2024-54085
CVE-2024-0769
Other
T1486
T1486
T1490
T1490
T1059
T1059
T1080
T1080
T1562
T1562
T1021
T1021
T1078
T1078
T1547
T1547
T1021.001
T1021.001
T1005
T1005
T1057
T1057
Victims(161)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| jacksoncountyin.com | jacksoncountyin.com | US United States | Government & Defense | Claimed | 24 days ago | |
| bayareaherbs.com | bayareaherbs.com | US United States | Retail & E-Commerce | Claimed | 24 days ago | |
| st-annes.uk.com | st-annes.uk.com | GB United Kingdom | Education | Claimed | 24 days ago | |
| lifelongaccess.org | lifelongaccess.org | US United States | Healthcare | Claimed | 24 days ago | |
| funkychunky.com | funkychunky.com | US United States | Retail & E-Commerce | Claimed | 25 days ago | |
| csb-battery.com | csb-battery.com | TW Taiwan | Manufacturing | Claimed | 25 days ago | |
| ossistemes.com | ossistemes.com | ES Spain | Technology | Claimed | 25 days ago | |
| www.kurita.eu | kurita.eu | DE Germany | Manufacturing | Claimed | 25 days ago | |
| Stonehenge | — | TH Thailand | Other | Claimed | about 2 months ago | |
| cwwcontractors.com | — | US United States | Other | Claimed | about 2 months ago | |
| sentrydynamics.com | — | US United States | Technology | Claimed | about 2 months ago | |
| ACNHealthcare | — | DE Germany | Healthcare | Claimed | about 2 months ago | |
| www.smithdollar.com | smithdollar.com | US United States | Professional Services | Claimed | about 2 months ago | |
| njpcs.org | — | US United States | Healthcare | Claimed | 2 months ago | |
| Go to the publication | — | — | — | Claimed | 3 months ago | |
| indrub.com | indrub.com | IN India | Manufacturing | Claimed | 3 months ago | |
| Africa Insurance | africainsurance.com | ET Ethiopia | Financial Services | Claimed | 3 months ago | |
| https://www.hegelmann.com | hegelmann.com | DE Germany | Transportation | Claimed | 3 months ago | |
| Keller Polska | kellerpolska.pl | PL Poland | Other | Claimed | 3 months ago | |
| Stera Chemicals | sterachemicals.com | RO Romania | Manufacturing | Claimed | 3 months ago |
Page 1 of 9
Affected countries(56)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺AustraliaAruba🇧🇪Belgium🇧🇷Brazil🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇷Costa Rica🇨🇿Czech Republic🇩🇪Germany🇩🇰Denmark🇩🇲Dominica🇪🇸Spain🇪🇹Ethiopia🇫🇮Finland🇫🇷France🇬🇧United Kingdom🇭🇰Hong Kong🇮🇩Indonesia🇮🇱Israel🇮🇳India🇮🇹ItalyJersey🇯🇵Japan🇰🇪KenyaKorea, Republic of🇰🇼Kuwait🇲🇦Morocco🇲🇹Malta🇲🇽Mexico🇲🇾Malaysia🇳🇱Netherlands🇳🇴Norway🇳🇿New Zealand🇵🇪Peru🇵🇭Philippines🇵🇱Poland🇵🇹Portugal🇵🇾Paraguay🇷🇴RomaniaRussian Federation🇸🇦Saudi Arabia🇸🇪Sweden🇸🇬SingaporeSyrian Arab Republic🇹🇭Thailand🇹🇷TurkeyTaiwan, Province of China🇺🇸United StatesVenezuela, Bolivarian Republic of🇿🇦South Africa