- Vulnerability management simplified: The core essentials
- Velocità vs lentezza: ecco quale sarà il reale impatto dei tempi di adozione dell’AI
- Introducing Personal Data Cleanup | McAfee Blog
- OpenAI's Sora generates 10 videos per second and here are the top 5 cities
- AI-powered automation set for gains in 2025
Lynx Ransomware Group Unveiled with Sophisticated Affiliate Program
The Lynx Ransomware-as-a-Service (RaaS) group has been found operating a highly organized platform, complete with a structured affiliate program and robust encryption methods. Researchers at Group-IB gained access to the group’s affiliate panel, revealing the inner workings of this sophisticated cyber-threat.
Structured Affiliate Program
Lynx’s affiliate panel is organized into multiple sections, including “News,” “Companies,” “Chats,” “Stuffers” and “Leaks.” This design allows affiliates to configure victim profiles, generate custom ransomware samples and manage data leak schedules within a user-friendly interface.
Affiliates receive an 80% share of ransom proceeds, handle all negotiations and maintain control over the ransom wallet. Lynx also offers additional services, such as a call center to harass victims and advanced storage solutions for high-performing affiliates.
Affiliates receive an 80% share of ransom proceeds, handle all negotiations and maintain control over the ransom wallet. Lynx also offers additional services, such as a call center to harass victims and advanced storage solutions for high-performing affiliates.
Cross-Platform Ransomware and Customizable Encryption
The group also provides an “All-in-One Archive” containing binaries for Windows, Linux and ESXi environments, covering a range of architectures, including ARM, MIPS and PPC. This multi-architecture approach ensures broad compatibility and maximizes the impact of attacks in diverse networks.
Lynx has recently introduced multiple encryption modes – “fast,” “medium,” “slow” and “entire” – allowing affiliates to balance speed and depth of file encryption. The ransomware employs robust encryption algorithms, including Curve25519 Donna and AES-128.
Professional Recruitment and Double Extortion
The group actively recruits experienced penetration testing teams through underground forums, emphasizing a stringent verification process.
They do not target entities responsible for the livelihood of civilians, such as healthcare institutions, government bodies, churches or non-profits.
Lynx employs double extortion tactics, encrypting victims’ data and threatening to leak it on their dedicated leak site (DLS) if ransoms are not paid. The DLS serves as a platform where attackers publish announcements about attacks and disclose leaked data from their victims.
“Lynx has emerged as a formidable RaaS operator by combining a versatile arsenal of ransomware builds, a structured affiliate ecosystem and systematic extortion tactics,” Group-IB wrote.
“In-depth analysis revealed a significant code overlap with INC ransomware […]. This strongly indicates that Lynx may have purchased or adapted the INC ransomware source code, enabling them to build upon existing malware capabilities. For organizations, this underscores the importance of continually updating incident response procedures, investing in real-time threat intelligence and fostering a security-first culture.”
Read more on ransomware operations: The Top 10 Most Active Ransomware Groups of 2024
Recommendations for Defense
To defend against the Lynx ransomware threat, Group-IB recommends the following measures:
- Prioritize software updates: Regularly apply critical updates to mitigate vulnerabilities
- Implement multi-factor authentication (MFA): Use MFA, especially for privileged accounts, to add an extra layer of security
- Deploy advanced endpoint detection and response (EDR) solutions: Utilize behavioral detection to identify ransomware indicators on managed endpoints
- Regularly schedule backups: Maintain offline or network-segmented backups to protect against lateral movement by attackers
- Conduct security awareness training: Educate employees on phishing and suspicious activities to reduce human error
- Perform ongoing technical audits: Regularly assess infrastructure to uncover hidden weaknesses and ensure strict access control
- Avoid paying ransoms: Paying attackers encourages further extortion, instead contact experienced incident response teams
Implementing these strategies can significantly enhance an organization’s resilience against ransomware attacks.
