FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Lynx ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows
Impact: Encrypts victims' files and demands ransom for file decryption
Severity level: High

Lynx Ransomware Overview

The first sample of the Lynx ransomware was made available on a publicly available file-scanning site in early July 2024, which coincides with other reports of its first availability.

Our research found that the Lynx and INC ransomware, which first appeared in July 2023, look very similar. However, INC offers fewer options at the execution phase. We believe that INC ransomware is a predecessor to the Lynx ransomware. While INC ransomware is available for the Windows and ESXi platforms, we have not found a Lynx variant of the ransomware that affects non-Windows environments.

Like other ransomware attacks, these demand a ransom to decrypt files via dropped ransom notes.

Infection Vector

Information on the infection vector used by the Lynx ransomware threat actor is unavailable. However, it is not likely to differ significantly from other ransomware groups.

Attack Method

When run, the Lynx ransomware takes the following line arguments:

The Lynx ransomware always kills processes containing the following strings to maximize damage:

• SQL
• Veeam
• Backup
• Exchange
• Java
• Notepad

It kills services that contain the following strings:

• SQL
• Veeam
• Backup
• Exchange

The Lynx ransomware then encrypts files on the compromised machines and adds a file extension “.LYNX” to the affected files.

The ransomware avoids encrypting files in the following folders:

• Windows
• program files
• program files (x86)
• $RECYCLE.BIN
• Appdata

The Lynx ransomware avoids encrypting files with the following extensions:

• .exe
• .msi
• .dll
• .lynx

It also performs the following actions:

• empty the recycle bin
• mount drives for encryption
• delete shadow copies
• change the wallpaper to display the ransom note
• prints a ransom note if there are any available printers connected to the infected computer

The Lynx ransomware drops the following ransom note in “README.txt”:

The ransomware then replaces the desktop wallpaper with the same ransom message.

The oldest Lynx ransomware sample (SHA2: eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc) displays a slightly different ransom note. It contains different TOR sites and an attacker email address not found in other Lynx ransomware.

Victimology and Data Leak Site

The Lynx ransomware has a data leak site that posts victim information, including data stolen from victims. As of this writing (January 29, 2025), the data leak site lists 96 victims, with the latest publication date being January 20, 2025. Our investigation found the following about the Lynx ransomware victims listed on the data leak site:

• The victims are spread out over 16 different countries.
• Over 60% of victims are located in the United States.
• Canada and the United Kingdom come in second with about 8%.
• Manufacturing is the industry most affected by this, with more than 20%.
• Construction comes in second with just under 20%.

Note that victims who paid the ransom may have been removed from the data leak site, and as such, additional companies may be affected by the Lynx ransomware.

Separate from the aforementioned chat site, the Lynx ransomware group operates a data leak site on TOR.

Fortinet Protections

The Lynx ransomware described in this report are detected and blocked by FortiGuard Antivirus as:

• W32/IncRansom.A!tr.ransom
• W32/Filecoder_IncRansom.A!tr
• W32/Filecoder_IncRansom.A!tr.ransom

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

IOCs

Lynx Ransomware File IOCs

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.