Overview
Lynx is a ransomware-as-a-service (RaaS) operation that emerged publicly in July 2024 and has been assessed by CISA, HHS, and multiple threat intelligence vendors as a direct successor to the INC Ransom group. Code analysis by Palo Alto Unit 42 and others identified significant overlap between Lynx and INC Ransom’s encryptor logic, consistent with a rebrand or affiliate breakaway rather than an independent development.
The group operates a standard double-extortion model: data exfiltration precedes encryption, and victims face both operational disruption and the threat of sensitive data publication on Lynx’s Tor-hosted leak site. The leak site has maintained consistent activity since mid-2024, with victim postings spanning North America, Europe, and Australia.
CISA, the FBI, and the US Department of Health and Human Services (HHS) published joint advisory AA25-039A in February 2025 specifically naming Lynx and detailing its targeting of critical infrastructure and healthcare.
Targeting Profile
Lynx has maintained broad sector targeting consistent with opportunistic ransomware operations, with a notable concentration in:
- Healthcare: Hospitals, physician networks, clinical laboratories, and health insurance providers — the sector most likely to face regulatory pressure to pay
- Critical infrastructure: Energy utilities, water systems, and manufacturing — targets where operational disruption creates additional negotiating pressure
- Financial services: Mid-market financial firms, accounting practices, and credit unions
- Real estate: Commercial property management firms and real estate investment trusts
- Legal and professional services: Law firms handling litigation, M&A, or regulatory matters
Victim sizes have ranged from small regional operators with under 50 employees to mid-market organisations with several thousand staff. Lynx does not appear to target large enterprises exclusively — the affiliate model means individual affiliates pursue whichever targets their access enables.
Technical Characteristics
Encryptor
Lynx’s encryptor is a C++ binary with structural similarities to INC Ransom’s malware. Key characteristics:
- Encryption scheme: AES-128 CTR mode per file, with RSA-2048 public key encryption of the AES key
- File extension: Encrypts files and appends
.lynxextension - Partial encryption: For large files, the encryptor partially encrypts to maximise throughput — a common RaaS technique to reduce encryption time while still rendering files unusable
- Shadow copy deletion: Uses
vssadmin.exe delete shadows /all /quietvia cmd.exe - Ransom note: Drops
README.txtin each affected directory and a desktop wallpaper replacement
Initial Access
Observed initial access methods consistent with CISA advisory and threat intelligence reporting:
- Phishing: Credential phishing targeting internet-exposed mail and VPN portals
- Exposed RDP: Brute force and credential stuffing against internet-facing RDP services — particularly effective against smaller healthcare and manufacturing targets with poor patch posture
- Compromised credentials: Initial access broker (IAB) purchases documented in criminal forum monitoring; Lynx affiliates are known buyers on established IAB markets
- Vulnerable public-facing applications: Exploitation of unpatched VPN appliances and remote access gateways; the group has been observed exploiting vulnerabilities in Cisco, Fortinet, and Pulse Secure appliances
Persistence and Lateral Movement
Post-access activity follows a recognisable pattern:
- Legitimate RMM tools: AnyDesk, Splashtop, and ConnectWise Control deployed for persistent access and to complicate attribution
- Credential harvesting: Cobalt Strike beacons or similar frameworks for internal reconnaissance; Mimikatz for credential dumping
- Active Directory enumeration: BloodHound/SharpHound for AD graph analysis to identify high-privilege accounts and paths to domain controller access
- Lateral movement: Pass-the-hash and pass-the-ticket using harvested credentials; WMI and SMB for remote execution
Data Exfiltration
Before deployment of the encryptor, affiliates exfiltrate data using:
- Rclone: Configured to upload to attacker-controlled cloud storage (Mega, pCloud, or private VPS)
- WinSCP / FileZilla: FTP-based exfiltration to external infrastructure
- MEGASync: Direct sync to MEGA cloud storage, consistent with other RaaS operations
Exfiltrated data is catalogued and used as the basis for the extortion threat; higher-sensitivity data (patient records, financial statements, legal documents) is specifically highlighted in ransom communications to increase payment pressure.
Ransom Demands and Negotiation
Ransom demands have ranged from approximately $30,000 for smaller organisations to several million dollars for larger enterprise victims. The group operates a negotiation portal on the Tor network where victims communicate after discovering the ransom note.
Negotiation behaviour is consistent with professional RaaS operations: initial demands are set high, and negotiated settlements of 30–50% of the initial demand are common where victims engage. Time-limited discount offers (“pay within 72 hours for 20% reduction”) are a standard tactic.
Detection and Response Guidance
Focus areas for early detection:
- Monitor for
vssadminvolume shadow copy deletion commands — this is a reliable pre-encryption indicator across most ransomware families - Alert on RMM tool installation by non-IT accounts (AnyDesk, Splashtop, ConnectWise)
- Monitor for Rclone configuration file creation and large SMB or HTTPS data transfers to cloud storage endpoints
- Network monitoring for Cobalt Strike beacon C2 patterns (malleable profiles, characteristic JA3 fingerprints)
CISA advisory IOCs: CISA AA25-039A includes file hashes, IP addresses, and domain IOCs current as of February 2025. Given the RaaS model and infrastructure rotation, treat these as historical indicators rather than live blocklists — behavioural detections are more durable.
Healthcare-specific note: Given Lynx’s consistent healthcare targeting, organisations in this sector should validate that their ransomware-specific controls — network segmentation between clinical and administrative systems, immutable backup copies, and tested recovery runbooks — are current and exercised.
Current Activity Level
As of mid-2026, Lynx remains an active threat. Victim postings on the group’s leak site have maintained a consistent pace throughout 2025 and into 2026. The group has not experienced the law enforcement disruption that affected LockBit (2024) or ALPHV/BlackCat (2024), and the affiliate model has sustained its operational capacity despite pressure on the broader RaaS ecosystem.