Lynx Ransomware: A Rebranding of INC Ransomware

Date: 10/11/2024

Severity: High

Summary

In July 2024, Palo Alto Networks identified Lynx ransomware, a successor to the earlier INC ransomware. Active in targeting sectors like retail, real estate, and finance in the U.S. and UK, Lynx shares significant source code with INC, which first appeared in August 2023. While Lynx currently has known Windows samples, Linux variants have yet to be confirmed. Operating under a ransomware-as-a-service (RaaS) model, this article explores the timeline of Lynx's attacks and the evolving tactics of its threat actors. Palo Alto Networks offers enhanced protection against Lynx through its Network Security solutions and Cortex products.

Indicators of Compromise (IOC) List

URL/Domain

lynxblog.net

http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion

http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/disclosures

http://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion

http://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion

http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion

http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion

http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion

http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion

http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion

http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion/login

http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login

http://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion/login

http://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion/login

http://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion/login

http://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login

http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login

http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login

Hash

571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b

82eb1910488657c78bef6879908526a2a2c6c31ab2f0517fcc5f3f6aa588b513

eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc

02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461

05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9

11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd

1754c9973bac8260412e5ec34bf5156f5bb157aa797f95ff4fc905439b74357a

1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a

29a25e971dbb87d3adcee75693782d978a3ca9f64df0a59b015ca519a4026c49

3156ee399296d55e56788b487701eb07fd5c49db04f80f5ab3dc5c4e3c071be0

36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e

508a644d552f237615d1504aa1628566fe0e752a5bc0c882fa72b3155c322cef

64b249eb3ab5993e7bcf5c0130e5f31cbd79dabdcad97268042780726e68533f

7f104a3dfda3a7fbdd9b910d00b0169328c5d2facc10dc17b4378612ffa82d51

869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947

9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d

ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c

d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6

e17c601551dfded76ab99a233957c5c4acf0229b46cd7fc2175ead7fe1e3d261

ee1d8ac9fef147f0751000c38ca5d72feceeaae803049a2cd49dcce15223b720

f96ecd567d9a05a6adb33f07880eebf1d6a8709512302e363377065ca8f98f56

fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced

fef674fce37d5de43a4d36e86b2c0851d738f110a0d48bae4b2dab4c6a2c373e

63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7

a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5

c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef

martina.lestariid1898@proton.me

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1	userdomainname like "http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/disclosures" or url like "http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/disclosures" or userdomainname like "http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion" or url like "http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion" or userdomainname like "lynxblog.net" or url like "lynxblog.net" or userdomainname like "http://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion" or url like "http://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion" or userdomainname like "http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion" or url like "http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion" or userdomainname like "http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion" or url like "http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion" or userdomainname like "http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion" or url like "http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion" or userdomainname like "http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion" or url like "http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion" or userdomainname like "http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion" or url like "http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion" or userdomainname like "http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion/login" or url like "http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion/login" or userdomainname like "http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login" or url like "http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login" or userdomainname like "http://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion/login" or url like "http://lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd.onion/login" or userdomainname like "http://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion/login" or url like "http://lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd.onion/login" or userdomainname like "http://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion/login" or url like "http://lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd.onion/login" or userdomainname like "http://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login" or url like "http://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login" or userdomainname like "http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login" or url like "http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login" or userdomainname like "http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login" or url like "http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login"
Detection Query 2	sha256hash IN ("fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced","ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c","9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d","36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e","3156ee399296d55e56788b487701eb07fd5c49db04f80f5ab3dc5c4e3c071be0","05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9","c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef","02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461","11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd","a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5","7f104a3dfda3a7fbdd9b910d00b0169328c5d2facc10dc17b4378612ffa82d51","eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc","63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7","f96ecd567d9a05a6adb33f07880eebf1d6a8709512302e363377065ca8f98f56","fef674fce37d5de43a4d36e86b2c0851d738f110a0d48bae4b2dab4c6a2c373e","d147b202e98ce73802d7501366a036ea8993c4c06cdfc6921899efdd22d159c6","64b249eb3ab5993e7bcf5c0130e5f31cbd79dabdcad97268042780726e68533f","29a25e971dbb87d3adcee75693782d978a3ca9f64df0a59b015ca519a4026c49","1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a","1754c9973bac8260412e5ec34bf5156f5bb157aa797f95ff4fc905439b74357a","ee1d8ac9fef147f0751000c38ca5d72feceeaae803049a2cd49dcce15223b720","e17c601551dfded76ab99a233957c5c4acf0229b46cd7fc2175ead7fe1e3d261","869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947","571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b","508a644d552f237615d1504aa1628566fe0e752a5bc0c882fa72b3155c322cef")
Detection Query 3	From like "martina.lestariid1898@proton.me" or to like "martina.lestariid1898@proton.me" or sender like "martina.lestariid1898@proton.me" or recipient like "martina.lestariid1898@proton.me"

Reference:

https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

Lynx Ransomware: A Rebranding of INC Ransomware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Lynx Ransomware: A Rebranding of INC Ransomware

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments