Lynx Ransomware: Double Extortion, Ethics & Affiliate Payouts

A new ransomware is on the prowl. Lynx ransomware has been spreading across the threat landscape, targeting small to medium-sized businesses and enterprises to extort funds.

Ransomware has steadily been on the rise. In 2023, over 72% of organizations globally were affected by ransomware attacks. In 2024, over half of businesses and organizations worldwide reported losing at least $300,000 due to cyberattack incidents.

Lynx ransomware, with its many worldwide cybercriminals, utilizes tactics, techniques, and procedures (TTPs) such as terminating processes, deleting backup files, and encrypting network shares, making Lynx ransomware attacks especially devastating.

What is Lynx ransomware?

Lynx ransomware is a sophisticated malware threat group that has been active since mid-2024. The group uses Ransomware-as-a-Service (RaaS) to create and disseminate their attacks across industries such as finance, architecture, and manufacturing sectors.

Who is the Lynx ransomware group?

The cybercriminals behind the Lynx ransomware claim to follow an “ethical” approach when choosing targets to minimize harm done to society. The Lynx group states they do not target governmental institutions, healthcare, or non-profit organizations.

To recruit more threat actors, Lynx uses affiliate marketing techniques. The structured RaaS panel is divided into multiple sections (e.g. “News,” “Companies,” “Chats,” “Stuffers,” and “Leaks”) to make their activities easier to deploy.

Lynx affiliates receive an 80% share of ransom proceeds, handle all negotiations, and maintain control over the ransom wallet. Lynx also offers additional services, such as a call center to harass victims and advanced storage solutions for high-performing affiliates.

What techniques does the Lynx ransomware group use?

Most businesses today use Windows as their preferred operating system. For this reason, Lynx malware runs only on Microsoft Windows OS to disrupt operations.

The Indicators of Compromise (IoCs) used by the Lynx group include the following vectors:

1. Phishing emails and social engineering: Phishing emails are sent to the target to download and install the Lynx malware across systems.
2. Malware-encrypted files: Once executed, the Lynx malware encrypts files and appends the .lynx extension to the file name and deletes backup files like shadow copies to hinder recovery.
3. Double extortion tactics: Once the target has their most valuable digital assets compromised, the Lynx group employs double extortion tactics to pressure victims into paying the ransom. The stolen data is simultaneously sold on leak sites and sold to the highest bidder.

Lynx ransomware timeline

In 2024, the Lynx ransomware group made their mark on the threat landscape.

Here‘s a quick breakdown of the notable activities since the group‘s inception:

• July 2024: Lynx ransomware was first detected, identified as a rebranded and more advanced version of INC ransomware. It adopted the Ransomware-as-a-Service (RaaS) model, making it accessible to a wider range of cybercriminals.
• October 2024: Lynx gained attention for its double extortion tactics, encrypting victims’ data and threatening to leak sensitive information. It targeted industries like retail, real estate, and finance, primarily in North America and Europe.
• December 2024: A major attack was reported on Electrica, a prominent energy supplier. This incident disrupted operations and compromised sensitive data, showcasing Lynx’s ability to target critical infrastructure contrary to their “ethical” stance.
• January 2025: Lynx ransomware breached Hunter Taubman Fischer & Li LLC, a U.S.-based law firm specializing in corporate and securities law. This attack exposed sensitive client information, highlighting the ransomware’s focus on high-value targets.
• February 2025: Reports confirmed that Lynx had listed 96 victims on its data leak site, although this number is suspected to be higher.
• March 2025: Notable attacks from Lynx in 2025 include Australian supplier C.I. Scientific and the Springfield Water and Sewer Commission raising concerns about the security of sensitive information within public sector organizations.

Who does Lynx ransomware target?

From the group‘s conception in 2024, Lynx ransomware has affected more than 20 countries across the globe, including the United States, the United Kingdom, Germany, Canada, France, Spain, and South Korea.

Since the Lynx ransomware operators are seeking to extort profit, they target a wide variety of different organizations across various industries, such as agriculture, food suppliers, utilities, manufacturing, and technology.

While the group stated that they will not target governments, non-profit organizations, or healthcare, their attacks do still affect critical infrastructure, adversely affecting society at large.

Lynx ransomware attacks electricity provider

In December 2024, the Lynx group targeted the Electrica Group, one of the largest electricity suppliers in Romania. The attack affected 3.8 million citizens across Romania and Transylvania.

The National Cyber Security Directorate (DNSC) was notified to mitigate the incident, and it was determined that critical power supply systems had not been affected.

While the Electrica Group did not suffer a loss of service to their customers, the attack shows how important platform monitoring is to avoid potential losses.

US law firm‘s sensitive data exposed by Lynx ransomware

In January 2025, a US-based law firm, Hunter Taubman Fischer & Li LLC, was targeted by the Lynx group, compromising sensitive client information.

The data leak was alarming due to the high-profile clients and the potential to expose critical business transactions.

In the evolving ransomware threat landscape, this attack underscores the importance of prioritizing the secure handling of sensitive data. Companies can conduct regular vulnerability assessments, train employees to handle threats such as phishing, and construct robust systems to mitigate risks.

Industrial technology provider targeted by Lynx

On March 11, 2025, C.I. Scientific Pty Ltd, a leading provider of industrial and manufacturing equipment and services, was attacked by Lynx ransomware.

CI Scientific is a leading Australian supplier of laboratory and industrial equipment to organisations in New Zealand and the Pacific region. The company also offers calibration services for scientific and industrial equipment.

The attack is the Lynx group‘s fourth Australian victim so far and compromised sensitive operational data, however, no specific user data was reported as compromised.

🚨 LYNX Ransomware Alert 🚨

LYNX ransomware group has added 2 new victims to their dark web portal.

* C.I. Scientific Pty Ltd🇦🇺
* Longue Vue Club🇺🇸 pic.twitter.com/6eYKlbD8Qt

— FalconFeeds.io (@FalconFeedsio) March 11, 2025

2025 Lynx ransomware victim count…

As of January 2025, the Lynx ransomware data leak site lists 96 victims but the suspected amount of victims to date is estimated to be higher.

According to researchers, 60% of victims are located within the United States, with the manufacturing industry being the most targeted industry so far, with more than 20% attack rate.

How does Lynx ransomware work?

The INC ransomware group has been active since July 2023 and shares a significant overlap with Lynx ransomware from 2024.

Analyses reveal that Lynx’s malware has a 48% overall code similarity with INC ransomware and a 70.8% similarity in specific functions. This suggests that Lynx may have repurposed INC ransomware‘s source code, which was reportedly sold in May 2024.

Lynx ransomware primarily targets Microsoft Windows operating systems, the operating system utilized by most businesses worldwide.

Here‘s a simplified overview of how Lynx ransomware operates:

1. Delivery mechanisms: Lynx ransomware relies on several cyberattack vectors in order to gain access to the victim‘s data. Documented vectors used by Lynx ransomware include phishing emails, malicious downloads of ransomware, and hacking forums where information can be exchanged between the threat actors.
2. Native API: Lynx ransomware uses the Restart Manager API RstrtMgr to enhance its encryption capabilities and maximize its impact on the victim’s system.
3. Windows command shell: Lynx ransomware utilizes specific commands such as executables (.exe), installers (.msi), and libraries (.dll) to execute the ransomware with the ransom threat
4. Bypass security restrictions: Lynx ransomware executes privilege escalation exploits to gain elevated system access and bypass security restrictions. Lynx ransomware actively terminates system processes, including anti-virus software, to bypass security defenses.
5. Avoiding detection: The group uses external cloud storage providers to avoid the detection of exfiltration.
6. Defacing of internal systems: Lynx ransomware modifies the desktop background of the infected system, replacing it with a ransom note in a ReadMe.Txt file to ensure the victim sees the attacker’s demands.
7. Erasing backups and file encryption: Lynx ransomware encrypts networks by appending the file extension .lynx to erase backup files, including shadow copies. Cybercriminals often encrypt network shares, making it harder for organizations to access their files and recover their systems. The files are encrypted with the Advanced Encryption Standard (AES) a symmetric block cipher used by the U.S. government to protect classified information.
8. Double-extortion data leak sites: After demanding a ransom from victims, the Lynx group publishes portions of the stolen data online. In cybersecurity this is called information disclosure—when cybercriminals publish sensitive information on data leak sites.
9. Anonymity with TOR: The TOR, The Onion Router, is used to maintain anonymity and communicate with victims.

How can I protect my system from Lynx ransomware attacks?

According to CybelAngel‘s own threat research, we‘ve found that 42% of businesses have experienced a ransomware attack, with a 125% increase in active ransomware groups.

To defend against cyber threats in an ever-evolving threat landscape, it‘s more important than ever to secure your data and systems against potential attacks.

Here are some ways you can begin protecting your organization against ransomware attacks, according to the CISA:

1. Back up data securely: Maintain frequent backups of important files on external drives or secure cloud storage, and regularly test the availability and integrity of backups in a disaster recovery scenario. Disconnect backups after they are done to prevent them from being encrypted during an attack.
2. Create and maintain an incident response plan: Incident response plans help your team respond to attacks without causing further damage. Ensure that you include a communication plan to let affected parties know in the event of an attack.
3. Enable Multi-Factor Authentication (MFA): Adding an extra layer of security to your accounts and systems can reduce unauthorized access, which attackers often exploit.
4. Restrict permissions: Limit administrative privileges and user access to sensitive files to prevent ransomware from spreading across your system. This can be part of a broader zero-trust architecture to stop ransomware before it spreads.
5. Train your organization: Raise awareness about ransomware tactics, such as social engineering and malicious ads, to help prevent falling victim to them.
6. Use robust security tools: Employ a reliable antivirus and anti-malware solution, such as CybelAngel, that can detect and block ransomware. Firewalls can also help secure your network and protect endpoint devices such as computers, printers, and embedded devices.

Final thoughts

RaaS is on the rise, fast becoming the method cybercriminals prefer due to its out-of-the-box and ready-to-use capabilities. Utilizing RaaS lowers the barrier to entry for cybercriminals, allowing even those with minimal technical expertise to launch ransomware attacks using pre-developed tools.

In 2023, 70% of all cyberattacks were ransomware attacks. In 2024, a survey of cybersecurity professionals of organizations worldwide found that 32% of organizations suffered ransomware attacks because of exploited vulnerabilities.

To combat the rise in ransomware attacks, organizations of all sizes must consider vulnerabilities within their technology ecosystem to ensure data breaches don‘t hinder daily operations or expose sensitive customer and company information.

Adopting a flexible and ever-evolving cybersecurity framework like MITRE or NIST 2.0 can support organizations to improve their cybersecurity posture.

Fight ransomware with CybelAngel

Utilize CybelAngel‘s advanced threat intelligence to better understand the motives, targets, and attack methods commonly used by threat actors.

CybelAngel‘s extensive cybersecurity tools can help your organization stay ahead of potential breaches:

• Detect API threats before attacks occur: Vulnerable assets such as products supplied by partners can increase your attack surface. CybelAngel‘s Asset Discovery and Monitoring service can detect API threats to stay ahead of cybersecurity risks.
• Prevent information from leaking to the Dark Web: Gathering comprehensive insights into emerging cyber threats helps your business stay secure. Our Dark Web Monitoring service ensures that company data isn‘t circulating on the Dark Web for cybercriminals to exploit.
• Protect against data breaches: Data leaks and breaches from ransomware attacks can expose both company and client data, leading to financial and reputational losses. CybelAngel‘s Data Breach Prevention service monitors across cloud storage, file servers, and databases to protect essential company assets.
• Detect stolen credentials: Our comprehensive Credential Intelligence service notifies users when credentials have been compromised and investigates the cause of the attack to prevent future credential breaches.

Not sure where to get started?