| Category | Details |
|---|---|
| Threat Actors | Lynx ransomware group, Successor to INC ransomware group. |
| Campaign Overview | Emerged in 2024; ransomware-as-a-service (RaaS) model; active targeting of multiple sectors. |
| Target Regions (or Victims) | Organizations in the U.S. and UK; avoids government, hospitals, and non-profits. |
| Methodology | Double extortion: Exfiltrates and Encrypts Data; Disseminated via Phishing emails, malicious downloads, and hacking forums. |
| Product Targeted | Windows systems; no Linux samples confirmed for Lynx yet (unlike INC). |
| Malware Reference | Lynx ransomware shares 48-70% code similarity with INC ransomware; uses AES-128 in CTR mode, Curve25519 Donna encryption. |
| Tools Used | Restart Manager API (RstrtMgr), OneNote for reporting. |
| Vulnerabilities Exploited | Primarily social engineering (e.g., phishing); no specific software vulnerabilities detailed. |
| TTPs | Uses arguments for execution; Terminates Processes, Deletes Backups, Appends .lynx extension, Drops README.txt as ransom note. |
| Attribution | Code similarities indicate Lynx reused and adapted INC ransomware’s code. |
| Recommendations | Use Palo Alto’s Cortex XDR Anti-Ransomware module; monitor indicators of compromise (IoCs); enhance phishing defenses. |
| Source | Unit42 by Paloaltonetworks |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply