LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Lynx

Lynx Ransomware Group Profile: INC Ransom Successor Targeting Critical Infrastructure and Healthcare

Lynx emerged in mid-2024 as a rebranded successor to INC Ransom, inheriting its codebase and affiliate model while expanding victim scope into healthcare, critical infrastructure, and financial services. CISA issued a dedicated joint advisory in February 2025. This profile covers Lynx's technical characteristics, targeting patterns, and observed TTPs through mid-2026.

By Ransomware Tracker ·
LynxINC-Ransomransomwarehealthcarecritical-infrastructureCISARaaSdouble-extortiondata-theft
Threat Level
8/10
Sectors Targeted
healthcare
critical-infrastructure
financial-services
manufacturing
real-estate
Ransomware Family
Lynx

Overview

Lynx is a ransomware-as-a-service (RaaS) operation that emerged publicly in July 2024 and has been assessed by CISA, HHS, and multiple threat intelligence vendors as a direct successor to the INC Ransom group. Code analysis by Palo Alto Unit 42 and others identified significant overlap between Lynx and INC Ransom’s encryptor logic, consistent with a rebrand or affiliate breakaway rather than an independent development.

The group operates a standard double-extortion model: data exfiltration precedes encryption, and victims face both operational disruption and the threat of sensitive data publication on Lynx’s Tor-hosted leak site. The leak site has maintained consistent activity since mid-2024, with victim postings spanning North America, Europe, and Australia.

CISA, the FBI, and the US Department of Health and Human Services (HHS) published joint advisory AA25-039A in February 2025 specifically naming Lynx and detailing its targeting of critical infrastructure and healthcare.

Targeting Profile

Lynx has maintained broad sector targeting consistent with opportunistic ransomware operations, with a notable concentration in:

  • Healthcare: Hospitals, physician networks, clinical laboratories, and health insurance providers — the sector most likely to face regulatory pressure to pay
  • Critical infrastructure: Energy utilities, water systems, and manufacturing — targets where operational disruption creates additional negotiating pressure
  • Financial services: Mid-market financial firms, accounting practices, and credit unions
  • Real estate: Commercial property management firms and real estate investment trusts
  • Legal and professional services: Law firms handling litigation, M&A, or regulatory matters

Victim sizes have ranged from small regional operators with under 50 employees to mid-market organisations with several thousand staff. Lynx does not appear to target large enterprises exclusively — the affiliate model means individual affiliates pursue whichever targets their access enables.

Technical Characteristics

Encryptor

Lynx’s encryptor is a C++ binary with structural similarities to INC Ransom’s malware. Key characteristics:

  • Encryption scheme: AES-128 CTR mode per file, with RSA-2048 public key encryption of the AES key
  • File extension: Encrypts files and appends .lynx extension
  • Partial encryption: For large files, the encryptor partially encrypts to maximise throughput — a common RaaS technique to reduce encryption time while still rendering files unusable
  • Shadow copy deletion: Uses vssadmin.exe delete shadows /all /quiet via cmd.exe
  • Ransom note: Drops README.txt in each affected directory and a desktop wallpaper replacement

Initial Access

Observed initial access methods consistent with CISA advisory and threat intelligence reporting:

  • Phishing: Credential phishing targeting internet-exposed mail and VPN portals
  • Exposed RDP: Brute force and credential stuffing against internet-facing RDP services — particularly effective against smaller healthcare and manufacturing targets with poor patch posture
  • Compromised credentials: Initial access broker (IAB) purchases documented in criminal forum monitoring; Lynx affiliates are known buyers on established IAB markets
  • Vulnerable public-facing applications: Exploitation of unpatched VPN appliances and remote access gateways; the group has been observed exploiting vulnerabilities in Cisco, Fortinet, and Pulse Secure appliances

Persistence and Lateral Movement

Post-access activity follows a recognisable pattern:

  • Legitimate RMM tools: AnyDesk, Splashtop, and ConnectWise Control deployed for persistent access and to complicate attribution
  • Credential harvesting: Cobalt Strike beacons or similar frameworks for internal reconnaissance; Mimikatz for credential dumping
  • Active Directory enumeration: BloodHound/SharpHound for AD graph analysis to identify high-privilege accounts and paths to domain controller access
  • Lateral movement: Pass-the-hash and pass-the-ticket using harvested credentials; WMI and SMB for remote execution

Data Exfiltration

Before deployment of the encryptor, affiliates exfiltrate data using:

  • Rclone: Configured to upload to attacker-controlled cloud storage (Mega, pCloud, or private VPS)
  • WinSCP / FileZilla: FTP-based exfiltration to external infrastructure
  • MEGASync: Direct sync to MEGA cloud storage, consistent with other RaaS operations

Exfiltrated data is catalogued and used as the basis for the extortion threat; higher-sensitivity data (patient records, financial statements, legal documents) is specifically highlighted in ransom communications to increase payment pressure.

Ransom Demands and Negotiation

Ransom demands have ranged from approximately $30,000 for smaller organisations to several million dollars for larger enterprise victims. The group operates a negotiation portal on the Tor network where victims communicate after discovering the ransom note.

Negotiation behaviour is consistent with professional RaaS operations: initial demands are set high, and negotiated settlements of 30–50% of the initial demand are common where victims engage. Time-limited discount offers (“pay within 72 hours for 20% reduction”) are a standard tactic.

Detection and Response Guidance

Focus areas for early detection:

  • Monitor for vssadmin volume shadow copy deletion commands — this is a reliable pre-encryption indicator across most ransomware families
  • Alert on RMM tool installation by non-IT accounts (AnyDesk, Splashtop, ConnectWise)
  • Monitor for Rclone configuration file creation and large SMB or HTTPS data transfers to cloud storage endpoints
  • Network monitoring for Cobalt Strike beacon C2 patterns (malleable profiles, characteristic JA3 fingerprints)

CISA advisory IOCs: CISA AA25-039A includes file hashes, IP addresses, and domain IOCs current as of February 2025. Given the RaaS model and infrastructure rotation, treat these as historical indicators rather than live blocklists — behavioural detections are more durable.

Healthcare-specific note: Given Lynx’s consistent healthcare targeting, organisations in this sector should validate that their ransomware-specific controls — network segmentation between clinical and administrative systems, immutable backup copies, and tested recovery runbooks — are current and exercised.

Current Activity Level

As of mid-2026, Lynx remains an active threat. Victim postings on the group’s leak site have maintained a consistent pace throughout 2025 and into 2026. The group has not experienced the law enforcement disruption that affected LockBit (2024) or ALPHV/BlackCat (2024), and the affiliate model has sustained its operational capacity despite pressure on the broader RaaS ecosystem.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting