FOCUS MODE
EXTRACT IOC
0Trash

Threat Intelligence Report January 14 to January 20 2025

iocOne
The Lynx ransomware, identified as a successor to the INC ransomware family, has been actively targeting various industries in the US and UK since July 2024. Operating under a ransomware-as-a-service model, Lynx employs tactics such as phishing, service termination, and double extortion. The ransomware uses robust encryption methods and has shown a significant overlap with its predecessor, INC. Affected: retail, real estate, architecture, financial, environmental services

Keypoints :

  • Lynx ransomware is a rebranded version of INC ransomware.
  • It primarily targets Windows platforms, unlike INC which affected both Windows and Linux.
  • Industries targeted include retail, real estate, architecture, financial, and environmental services.
  • Lynx employs a ransomware-as-a-service (RaaS) model.
  • Phishing emails and malicious downloads are common delivery methods for the ransomware.
  • Lynx terminates key services to prevent recovery during encryption.
  • Volume shadow copies are deleted to hinder data recovery efforts.
  • The ransomware uses AES-128 and Curve25519 for file encryption.
  • Files are marked with a โ€œ.lynxโ€ extension post-encryption.
  • Double extortion tactics involve exfiltrating sensitive data before encryption.
  • Various Tor mirrors are used for anonymous communication with victims.
  • The US is the most affected country, followed by Brazil, Canada, Spain, and Italy.
  • Technology Services is the most targeted sector, followed by Manufacturing and Healthcare.

MITRE Techniques :

  • Phishing (T1566): Lynx operators use phishing emails with malicious attachments or links to compromise victims.
  • Malicious Downloads (T1203): Compromised websites and fake software updates are used to deliver the ransomware.
  • Service Stop (T1489): Lynx terminates processes related to backups and security solutions to facilitate encryption.
  • Data Encrypted for Impact (T1486): The ransomware encrypts files using robust algorithms, making recovery difficult.
  • Data Exfiltration (T1041): Sensitive data is exfiltrated prior to encryption to pressure victims into paying.
  • Ransomware-as-a-Service (T1485): Lynx operates under a RaaS model, allowing affiliates to deploy the ransomware.

Indicator of Compromise :

  • [domain] lynxblog.net
  • [domain] lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion
  • [domain] lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion
  • [file] 02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461
  • [file] 05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9
  • Check the article for all found IoCs.

Full Story: https://redpiranha.net/news/threat-intelligence-report-january-14-january-20-2025

Views: 5

Tags: DNS, PATCH, HEALTHCARE, GOVERNMENT, CRITICAL INFRASTRUCTURE, WINDOWS, BACKUP, EXFILTRATION