blogs.blackberry.com
Open in
urlscan Pro
2600:9000:266a:aa00:19:cd0a:2e00:93a1
Public Scan
URL:
https://blogs.blackberry.com/en/2024/10/lynx-ransomware
Submission: On November 07 via api from IN — Scanned from US
Submission: On November 07 via api from IN — Scanned from US
Form analysis 1 forms found in the DOM
<form id="search-form">
<input id="search-form--input" description="Search" data-search-url="https://blogs.blackberry.com/en/search" type="text" placeholder="Search" name="search">
<button type="submit">
<svg aria-hidden="true" data-prefix="fa" data-icon="search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
<path fill="currentColor"
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</svg>
</button>
</form>Text Content
Skip Navigation
BlackBerry Logo
* Cybersecurity
* Automotive & IOT
* Critical Communications
* ×
BlackBerry Blog
1. BlackBerry Blog
2. 2024
3. Lynx on the Prowl: Targeting SMBs with Double-Extortion Tactics
LYNX ON THE PROWL: TARGETING SMBS WITH DOUBLE-EXTORTION TACTICS
RESEARCH & INTELLIGENCE / 10.14.24 / The BlackBerry Research and Intelligence
Team
* Share on X
* Share on Facebook
* Share on LinkedIn
* Email
SUMMARY
Ransomware gangs have played a substantial role in shaping the cyber threat
landscape over the last decade, operating with impunity with ever-more
aggressive tactics. Despite increased focus from law enforcement, 2023 saw a
record $1 billion+ in ransoms paid out by victims. 2024 has brought with it a
flood of old and new cybercriminal gangs, all trying to grab a piece of this
lucrative pie.
During our routine monitoring, the BlackBerry Threat Research and Intelligence
Team noticed an uptick in activity by one of the newer groups dubbed “Lynx.” The
threat group first appeared in mid-July and quickly racked up over 25 victims
primarily across North America and Europe over the following weeks. Claiming to
operate “ethically” by not targeting hospitals, governmental organizations, or
nonprofits, the group instead preys on small and medium-sized businesses (SMBs)
across a wide variety of industries.
Our interest in the group was further piqued when, upon delving deeper into the
ransomware, we noted that it appeared to have strong correlations with the
file-encryptor utilized by another ransomware extortion operation called “INC
Ransom” (aka INCRansom or INC Ransomware), which led us to dig deeper.
As a result of our investigations, we can state with a high degree of confidence
that Lynx and INC Ransom share near-identical static code structure and operate
almost identically when dynamically running. Additional correlations include the
use of the same email address – gansbronz[at]gmail[.]com – in the registry
information of the public leak sites of both groups, the same method of storing
their ransom notes within their file-encryptors, and the fact that both groups
appear to be sharing the same pool of IPs.
In this blog, we’ll examine this relationship between the two threat groups
further.
WHO ARE THE LYNX RANSOMWARE GROUP?
Like many ransomware operators, the Lynx group employs a double extortion
strategy when targeting their victims. Once they gain unlawful access to a
system, they exfiltrate sensitive data prior to encrypting it on the host device
or network. The stolen data is then published on their leak sites along with a
blog entry naming and shaming the victim.
The stolen data may then be further leveraged by the group in ransom
negotiations, with the threat that additional information may be published if
the victim organization does not comply with their ransom demands.
In the limited time the group has been active, Lynx has targeted a variety of
industries namely within but not limited to North America and Europe.
Figure 1: LYNX blog page.
Lynx maintains both a surface web and dark web leak site along with a series of
mirrored sites located at “.onion” addresses. This is presumably to ensure
uptime, should one or more sites be taken offline by law enforcement.
They also employ their own encryptor which, as mentioned above, appears to have
been developed using the same codebase as the one previously utilized by the INC
Ransom group. Researchers digging into this similarity have previously noted
that running samples from both ransom groups through BinDiff, an open-source
comparison tool for binary files, revealed a 70.8 percent match in shared
functions.
Code reuse is common among cybercriminal groups. Doing so achieves multiple
goals. By building on foundations already laid by other groups, threat actors
can cut costs, conserve time, and put all their resources into developing their
own attacks, leading to more campaigns with more successful outcomes.
TECHNICAL ANALYSIS
To date, a handful of samples related to the encryptor utilized by the Lynx
group have been identified in the wild. All samples appear to be written in C++,
and lack any form of packing or obfuscation to impede analysis.
Once pre-encryption objectives such as gaining initial access and data
exfiltration have been conducted, the ransomware may then be deployed and
detonated on the compromised victim's environment. The ransomware itself is
designed to be executed via the command-line console, supporting several
optional arguments. This enables an attacker to customize their approach for
file-encryption to coincide with their goals.
SHA-256
md5
ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49
74ae58a716aa834949388ee1574788e0
ITW File Name
win.bin
Compilation Stamp
2024-08-04 06:49:12 UTC
File Type/Signature
X86 PE
File Size
164.00 KB (167936 bytes)
Compiler Name/Version
MS Visual Studio 8.0
PDB path
E:\Lynx\Release\Lynx.pdb
Figure 2 below shows the options that the ransomware supports, with an
explanation of each displayable by invoking it with “--help.”
Figure 2: Lynx encryptor's help menu.
Upon execution, the malware further supports a “--verbose” mode that will print
a list of operations the ransomware is conducting as it is dynamically running,
as you can see in Figure 3 below.
Figure 3: Lynx encryptor running verbose mode.
Each optional argument works as described, and should the “--kill” switch be
selected, a specific list of processes and services will be targeted for
termination, should they be present on the machine:
* SQL
* Veeam
* Backup
* Exchange
* Java
* Notepad
Figure 4: Process and services termination list.
When encrypting files, the ransomware will append a new file-extension “.LYNX”
to all applicable files and also appends an additional few bytes of code to
each. This activity is performed by numerous ransomware encryptors to signify
successful encryption and to help prevent double-encryption of already-ransomed
files, if the malware happens to re-execute.
Figure 5: The file extension “LYNX” is appended to each encrypted file.
In order to prevent a victim’s device becoming inoperable, the malware omits
certain file-types and Windows folders from encryption. This serves a dual-use
purpose by speeding up encryption and preventing critical Windows programs
becoming inaccessible, which would “brick” the device and ruin the group’s
chance at holding it to ransom.
These directories are omitted by Lynx:
* \Windows\
* \ProgramFiles\
* \ProgramFiles x86\
* \Users\*\AppData
These file-extensions are omitted by Lynx:
* .exe
* .msi
* .dll
* .lynx
ENCRYPTION
The Lynx file-encryptor utilizes AES-128 in CTR (Counter) mode when encrypting
files. Advanced Encryption Standard (AES) is commonly weaponized by ransomware
groups for their file-encryptors. Additionally, the encryptor’s code includes an
implementation of the Curve25519-donna algorithm to generate a shared “secret,”
whilst the attacker’s public key is embedded into the code of the malware.
Curve25519 is one of the fastest curves in elliptic-curve cryptography, offering
128 bits of security (256-bit key size). It is not covered by any known patents,
making it a valuable addition to a cyber-gang's toolbelt.
The encryptor then computes the SHA-512 hash of the shared secret, and the first
initial 16-byte (128 bits) of this hash is utilized as the key to encrypt the
victims' files using AES-128.
To increase the encryption speed, the encryptor encrypts 1000000 (1 MB) in
increments of every 6000000 (6 MB). Without gaining access to the private key
generated by the threat actor, the victim’s files cannot be decrypted.
Figure 6: Encryption in progress (verbose mode).
WHO IS INC RANSOM?
Appearing in the wild in July 2023, INC Ransom is another extortion-based
ransomware group that has grown in notoriety over the past 12 months to become
one of the most active ransomware groups of 2024. The group was extremely active
in the later stages of 2023, before taking a brief hiatus heading into the
current year. Upon its return, it was noted that the ransomware utilized by the
group had seen minor iterative changes and new leak-site infrastructure stood
up.
The group operates as a Ransomware-as-a-Service (RaaS), often employing
double-extortion ploys that involve stealing critical data before deploying
their ransomware to encrypt compromised devices. This is leveraged to threaten
the victim, pressuring them into paying the group’s ransom demands or risk their
data being published via its public leak-site.
Unlike Lynx, INC Ransom makes no empty promises of acting ethically and has been
known to aggressively target all sectors in the past, including healthcare,
education, technology, and government entities.
Upon closer inspection, BlackBerry threat researchers noted that code and modes
of operation carried out by Lynx directly correlated with recent samples of the
file-encryptor used by INC Ransom.
Figure 7: Comparison of INC Ransom (left) and Lynx (right) file encryptors.
According to third-party reporting site Ransomware.live, INC Ransom was one of
the top 10 most active ransomware groups of 2024 at the time of publication.
Lynx additionally appears to share a lot of its code-base with INC Ransom:
Figure 8: BinDiff diagram comparing INC Ransom and Lynx.
So what could explain this apparent similarity between the two groups? The most
striking piece of information reported so far is that the INC Ransom source code
may have been sold via a cybercriminal underground forum back in May. Cyber
threat intelligence group KELA discovered that a user calling themselves
"salfetka" had announced the sale of both the Windows and Linux/ESXi versions of
INC Ransom on the Exploit and XSS hacking forums, to the tune of a cool
$300,000.
KELA security researchers have since attempted to verify the authenticity of the
sale, noting that technical details provided by “salfetka” align with public
analysis of INC Ransom samples. Industry analysists additionally noted that
around the time of the alleged sale, the INC Ransom operation was going through
some changes that might suggest a rift between its core team members or even a
split within the group. However, there are no official announcements on INC's
websites about the source code sale, fueling speculation that the code may have
been stolen by a disgruntled former member of the group.
At this stage of our investigation, BlackBerry cannot confirm nor deny any
information about the potential sale of INC Ransom’s source code. However, we
can state with a high degree of confidence that Lynx and INC Ransom share
near-identical static code structure and operate almost identically when
dynamically running. Additionally, at the time of writing, both threat groups
appear to be operating independently of one another, and both are currently
active across the threat landscape.
An additional correlation can be found in the registry information for the leak
sites of both groups. The same email address – gansbronz[at]gmail[.]com – was
used in the registry information of the publicly accessible Internet (aka the
clearnet, or surface net) leak sites of both groups, and they have also both
been sharing the same pool of IPs, which are rotated regularly and typically
host both sites (clearnet and dark net) in tandem.
Figure 9: Domain hosting history results from DomainTools.
RANSOM NOTE
Both INC Ransom and Lynx additionally share the same method of storing their
ransom notes within their file-encryptors. Both contain a Base-64 encode blob
that is decoded to produce both the background change to the desktop, signify to
the user their device has been affected by ransomware, and generates the
“README.txt” file that is also dropped by the ransomware.
Figure 10: Desktop background change.
It has been noted that some minor deviations were identified between observable
Lynx samples and their ransomware notes. However, references to its clearnet web
site and leak site remain consistent within all Lynx samples.
Figure 11: Lynx ransom note.
NETWORK
As noted, Lynx has both a surface website based on the publicly accessible
Internet, and numerous “.onion”-based sites on the dark web. This tactic is most
likely used by the group to achieve some redundancy if ever some part of their
operations were taken down.
Figure 12: Lynx’s dark web leak site - main page.
The Lynx group has a press release pinned to the front page of both their
clearnet and dark net sites, explaining that they are financially motivated and
committed to avoid targeting emergency services and non-profit organizations, a
pledge they’ve thus far maintained — unlike INC Ransom, who target
indiscriminately, including healthcare, education, and even charities in some
cases. Recent INC Ransom victims include a U.S. subsidiary of tech giant Xerox,
and NHS Scotland, the Scottish branch of the UK’s National Health Service.
INC Ransom even went so far as to publish a snippet of the alleged 3TB of data
it stole from Scotland's NHS healthcare group, which included patients' medical
test results (both adults and young children), medication information, and the
patients' full names and home addresses. The contact details and full names of
the medical professionals treating them were also visible. The ramifications of
this type of data being publicly available on the Internet can only be imagined.
Figure 13: Lynx leak site – pinned press release.
As with most RaaS groups, Lynx employs a double extortion strategy when
targeting a victim. This process typically kicks off with the group first
gaining illicit access to the victim’s device or network, then exfiltrating
critical or sensitive data prior to engaging their ransomware. This practice is
calculated to place psychological strain on victims, for not only can they no
longer access their vital information, they also know that if they don’t pay the
ransom, the threat group may publish their most sensitive or confidential
information on their twin leak sites.
It has become a relatively common practice of ransomware groups in recent years
to “name and shame” victims in the hopes they can force them to pay out the
ransom to decrypt their files and avoid their sensitive data being publicly
released online. Damages from such an attack on a typical SMB can run the
gauntlet from reputational brand damage, to the publication of privately held
intellectual property (IP), leakage of confidential client or employee data, and
the associated loss of public and shareholder trust in the targeted
organization.
Figure 14: Lynx’s dark web leak site, showing their “wall of shame” of victims.
TARGETS
Figure 15: Lynx ransomware victim geolocation (mid-September 2024).
Figure 16: Number of Lynx victims per region (mid-September 2024).
Figure 17: Timeline of Lynx attacks (Mid-September 2024).
CONCLUSIONS
Ransomware remains a constant scourge on the cybersecurity landscape and despite
the efforts of law enforcement and defenders worldwide, continues to trend in
the wrong direction. Driven by the promise of monitory gain whilst paying lip
service to ethics, cybercriminal groups like Lynx continue to compromise,
encrypt and exploit whilst profiteering off the damage and stress they’ve caused
their victims.
In recent years, ransomware operators have become more organized, rapidly
exploiting vulnerabilities in software systems and conducting opportunistic
attacks on their victims. Though BlackBerry cannot currently comment directly on
the tools, tactics and procedures (TTP’s) of the Lynx threat group, direct
correlations with the INC Ransom group have been noted in our initial analysis,
with clear overlaps in code-structure between the two group’s file-encryptors,
the same email used in the registry information of the public Internet
leak-sites of both groups, and the same shared pool of IPs.
Ultimately, ransomware remains one of the most lucrative and disruptive forms of
cybercrime, and so long as organizations continue to pay their ransoms, groups
like Lynx will continue to flourish.
OUR COMMITMENT TO THE FIGHT AGAINST RANSOMWARE
BlackBerry is committed to the fight against ransomware, and as such we are
proud to stand alongside the 68 members of the International Counter Ransomware
Initiative (CRI), which hosted its fourth Summit at The White House this month.
As a global leader in cybersecurity, BlackBerry’s mission is to help protect
governments, businesses, and safety-critical institutions of all sizes from
cyber threats.
We are delighted to have been selected to co-chair the CRI’s new Public-Private
Sector Advisory Panel, led by Public Safety Canada, which establishes a trusted
set of private sector partners for CRI members to rely on when responding to
ransomware attacks.
We look forward to collaborating with CRI members in combating ransomware by
catalyzing effective information sharing, building trust through clear
expectations and person to person collaboration, and developing best practices
to navigate practical hurdles to combating ransomware.
INDICATORS OF COMPROMISE (IOCS):
File
SHA256
Description
ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49
Lynx Encryptor
571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b
Lynx Encryptor
eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
Lynx Encryptor
Network
URL
Description
lynxblog[.]net
Surface Web Leak Site
lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd[.]onion
Dark Web Leak Site
lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd[.]onion
Dark Web Leak Site Mirror
lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd[.]onion
Dark Web Leak Site Mirror
lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad[.]onion
Dark Web Leak Site Mirror
lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad[.]onion
Dark Web Leak Site Mirror
lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad[.]onion
Dark Web Leak Site Mirror
lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid[.]onion
Dark Web Leak Site Mirror
lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad[.]onion
Dark Web Chat Site
lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion
Dark Web Chat Site Mirror
lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd[.]onion
Dark Web Chat Site Mirror
lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd[.]onion
Dark Web Chat Site Mirror
lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd[.]onion
Dark Web Chat Site Mirror
lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd[.]onion
Dark Web Chat Site Mirror
lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad[.]onion
Dark Web Chat Site Mirror
lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad[.]onion
Dark Web Chat Site Mirror
Other
Name
Description
.LYNX
File Extension
README.txt
Ransom Note
E:\\Lynx\\Release\\Lynx.pdb
PDB
COUNTERMEASURES
YARA Rules
import "pe"
import "math"
import "hash"
rule Malware_Ransomware_Lynx_INCRansom_2024 {
meta:
description = "Detects Lynx and recent iterations of INCRansom
file-encryptors"
author = "The BlackBerry Threat Research and Intelligence Team"
last_modified = "2024-09-11"
created_from_sha256 =
"eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc"
created_from_sha256 =
"a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a"
version = "1.0"
strings:
$s0 = "[+] Start encryption of directory: %s" fullword wide
$s1 = "[+] Sending note to printer: %s..." fullword wide
$s2 = "[+] Trying to open printer: %s..." fullword wide
$s3 = "[-] Failed to mount %s Error: %d" fullword wide
$s4 = "[+] Success! Closing printer: %s" fullword wide
$s5 = "[+] Start encryption of: %s" fullword wide
$s6 = "[%s] Encrypt network shares" fullword wide
$s7 = "[%s] Stop using process" fullword wide
$s8 = "[%s] Load hidden drives" fullword wide
$s9 = "[+] Found drive: %s" fullword wide
$s10 = "[+] Encrypting: %s" fullword wide
$s11 = "[+] Mounted %s" fullword wide
$s12 = "[%s] Debug" fullword wide
$s13 = "[*] Loading hidden drives..." fullword wide
$s14 = "Microsoft Print to PDF" fullword wide
$s15 = "\\background-image.jpg" fullword wide
$x0 =
{8203E067292914706E0E0A850AB727FC2FD24638211B2E26C9265CFC6D2C4DED2AC45A130D3853DFB3959D54730A65DE63AF8BB
B0A6A76A8B2773C2EC9C281E6AEED47852C72923B358214A1E8BFA26403F14C4B661AA8013042BC708B4BC29197F8D0A3516CC730BE54061
9}
$x1 =
{2F8A4222AE28D791443771CD65EF23CFFBC0B52F3B4DECA5DBB5E9BCDB89815BC2563938B548F3F111F15919D005B6A4823F929
B4F19AFD55E1CAB18816DDA98}
$x2 =
{5B002B005D0020005300750063006300650073007300660075006C006C0079002000640065006C00650074006500200073006800610064006F
007700200063006F0070006900650073002000660072006F006D002000250063003A002F00}
$x3 =
{38243828382C383038343838383C384038443848384C385038543858385C386038643868386C387038743878387C38}
$x4 = {35203528353035383540354835503558356035683570357835}
$x5 = {37203728373037383740374837503758376037683770377837}
$x6 = {09456E6372797074206E6574776F726B207368617265730A}
condition:
//Must be MZ File
uint16(0) == 0x5a4d and
//Exactly 5 Sections
pe.number_of_sections==5 and
//File smaller than 200KB
filesize < 200KB and
// Three Specfic Imports
pe.imports("CRYPT32.dll", "CryptStringToBinaryA") and
pe.imports("WINSPOOL.DRV", "WritePrinter") and
pe.imports("WINSPOOL.DRV", "StartDocPrinterW") and
//8 out-of 15 Strings
8 of ($s*)
//All-of Hex
and all of ($x*)
}
Related Reading:
* Ransomware Update: The State of Ransomware Attacks in 2024
* 10 Types of Cyberattacks Targeting Organizations Now
* Cyberattack Masquerade: How Threat Actors Blend In
ABOUT THE BLACKBERRY RESEARCH AND INTELLIGENCE TEAM
The BlackBerry Research and Intelligence team is a highly experienced threat
research group specializing in a wide range of cybersecurity disciplines,
conducting continuous threat hunting to provide comprehensive insights into
emerging threats. We analyze and address various attack vectors, leveraging our
deep expertise in the cyberthreat landscape to develop proactive strategies that
safeguard against adversaries.
Whether it's identifying new vulnerabilities or staying ahead of sophisticated
attack tactics, we are dedicated to securing your digital assets with
cutting-edge research and innovative solutions.
--------------------------------------------------------------------------------
* Share on X
* Share on Facebook
* Share on LinkedIn
* Email
Facebook X YouTube Instagram
--------------------------------------------------------------------------------
CORPORATE
* Company
* Newsroom
* Investors
* Careers
* Leadership
* Corporate Responsibility
* Certifications
* Customer Success
DEVELOPERS
* Enterprise Platform & Apps
* BlackBerry QNX Developer Network
BLOGS
* BlackBerry ThreatVector Blog
* Developers Blog
* Help Blog
LEGAL
* Overview
* Accessibility
* Patents
* Trademarks
* Privacy Policy
© 2024 BlackBerry Limited. All rights reserved.
BlackBerry uses cookies to help make our website better. Some of the cookies are
necessary for proper functioning of the site, while others are to help us
understand how you use it.Learn More
Cookie Settings Accept