INC Ransomware (predecessor), RAMP forum ecosystem
Emerging in July 2024 as a Ransomware-as-a-Service (RaaS) operation, Lynx quickly established itself through aggressive double-extortion tactics targeting manufacturing, legal services, and energy sectors. Operating as a direct rebrand of the INC ransomware group with over 90% code similarity, the operation has compromised numerous organizations globally as of June 2025.
Type: Ransomware-as-a-Service (RaaS)
Direct successor to INC Ransomware, sharing substantial codebase overlap and operational infrastructure. The group maintains a closed affiliate model with selective recruitment through Russian-language forums, excluding operators from CIS countries and China.
Current Status: Active and expanding operations
Lynx represents a calculated evolution in ransomware operations, emerging from the dissolution of INC Ransomware whose source code was reportedly sold for $300,000 on the RAMP forum in May 2024. Demonstrating high operational organization through its structured affiliate program, the group offers generous revenue share to partners while maintaining centralized control over infrastructure and victim negotiations.
The threat actor has cultivated a reputation for technical competence and aggressive tactics, including unique features like sending ransom notes to all connected printers and implementing drip data leaks to pressure victims. Despite claims to avoid socially important organizations, confirmed attacks on energy infrastructure and utilities contradict these assertions.
Lynx formed in July 2024 following the acquisition of INC ransomware source code, with first public samples appearing mid-month. The transition from INC to Lynx was rapid, with INC activity ceasing by September 2024.
Demonstrating continuous technical refinement, the group introduced multi-mode encryption options (fast/medium/slow/entire) to balance speed and impact. Cross-platform capabilities expanded to include Linux variants supporting ARM, MIPS, and PPC architectures, alongside ESXi targeting for virtualized environments.
BinDiff analysis confirms 70.8% functional code similarity between Lynx and INC ransomware, with shared encryption methods and desktop wallpaper modification routines.
The technical architecture represents an evolution of established ransomware capabilities, building upon INC Ransomware foundations while incorporating modern operational techniques.
Maintaining steady operational tempo since emergence, Lynx experienced confirmed attacks growing consistently from initial operations in July 2024 through June 2025. A significant surge in August 2024 established the group as a major player in the ransomware ecosystem. Current operations span multiple countries with continued focus on English-speaking targets.
Manufacturing organizations face disproportionate targeting due to operational disruption potential and typically weaker security postures compared to financial services. Legal services attract attention for high-value intellectual property and client data suitable for double extortion. Energy and utility sectors, despite claimed avoidance, remain vulnerable due to critical infrastructure status and pressure for rapid ransom payment.
Lynx employs a systematic approach to compromise, beginning with reconnaissance of vulnerable systems and culminating in coordinated encryption across networked resources. The group demonstrates patience in establishing persistence before executing ransomware deployment.
Spearphishing campaigns deploy phishing emails with malicious attachments and links to harvest credentials (T1566.001/T1566.002), while RDP brute-forcing (T1021) targets exposed endpoints using compromised credentials from credential stuffing and leaked databases.
Active exploitation focuses on unpatched vulnerabilities in Internet-facing systems including CVE-2024-54085 and CVE-2024-0769, with systematic scanning for exposed RDP services.
Network reconnaissance combines SMB enumeration via WNetOpenEnumW API calls with SMB file share scanning and Nmap for network topology mapping.
Active Directory enumeration reveals domain structure and privileged accounts while running process analysis identifies security tools and system services, enabling targeted credential harvesting and backup system identification.
Persistent access leverages RDP for system control and command execution alongside AnyDesk and other legitimate RMM tools that blend with administrative traffic. Custom backdoors provide redundant channels resilient to detection.
Evasion tactics employ BYOVD attacks with vulnerable drivers, polymorphic code generation, and file obfuscation including XOR string obfuscation to defeat detection. Security process termination via Restart Manager API targets AV and EDR solutions while access token manipulation (T1134) and service privilege exploitation achieve SYSTEM-level access through SeTakeOwnershipPrivilege token manipulation.
Firewall rule modification enables malicious communications as UAC bypass techniques (T1548.002) circumvent Windows security controls. Shadow copy deletion via DeviceIoControl eliminates recovery options while anti-analysis techniques hinder investigation.
Mimikatz (T1003) extracts credentials from LSASS process memory enabling pass-the-hash attacks with captured NTLM hashes. Browser credential theft harvests saved passwords and session cookies while registry credential mining targets stored Windows authentication data.
Domain account abuse leverages compromised administrative credentials as both custom and public tools systematically harvest cached domain credentials and password stores.
C2 infrastructure operates exclusively through Tor hidden services with no persistent IP infrastructure, utilizing negotiation and data leak portals for operations. C2 channel data transfer facilitates exfiltration to attacker-controlled servers before encryption through fully encrypted communications.
Movement leverages SMB/Admin shares for tool distribution and RDP session hijacking with stolen credentials across network segments. SMB protocol exploitation enables file system access and remote execution while WMI/PowerShell remoting (T1021.006) provides stealthy cross-system command execution accelerated by credential reuse.
Pre-encryption theft averaging 500GB per victim occurs through C2 channel transfers to attacker-controlled servers and cloud account exploitation of legitimate services. High-value target prioritization focuses on financial records, intellectual property, and HR files with staged exfiltration avoiding detection systems.
Persistence establishes scheduled tasks (T1053) and registry modifications for autostart entries alongside malicious service creation for recurring payload deployment, ensuring redundant access despite remediation attempts.
Attacks achieve complete operational disruption through file encryption, data breach exposure via exfiltration, extended recovery from shadow copy deletion and backup destruction.
Multi-threaded encryption deploys AES-128 in CTR mode with Curve25519 key exchange, implementing partial encryption (1MB per 6MB) through Windows I/O Completion Ports for rapid network-wide encryption. Selective file targeting preserves system files while applying .LYNX extension across multiple encryption modes.
Extortion employs printer spamming to all connected printers, wallpaper defacement on infected systems, and drip data leaks on Tor-hosted sites releasing stolen data incrementally within 72 hours to pressure payment.
Post-encryption routines execute shadow copy deletion via vssadmin and wmic commands, backup file deletion, system restore disablement, and recovery tool termination to prevent restoration.
Windows event log clearing (T1070.001) removes forensic artifacts while boot configuration modification and anti-forensics scripts complicate incident response.
Key indicators help identify Lynx operations within networks, particularly specific file hashes, Tor infrastructure, and behavioral patterns tied to the ransomware ecosystem.
Lynx actively exploits known vulnerabilities in enterprise infrastructure, particularly targeting remote access systems and management interfaces for initial compromise.