Lynx ransomware infiltration reveals affiliate panel details

The Lynx ransomware-as-a-service (RaaS) gang’s affiliate panel was exposed by Group-IB researchers, who infiltrated the group and gained new insights into the threat actors' operations.

Lynx ransomware first appeared in July 2024 and has conducted dozens of attacks, mostly targeting the real estate, manufacturing and professional services industries, according to Group-IB.

In a blog post Tuesday, Group-IB revealed that it gained access to the Lynx RaaS affiliate panel, publishing screenshots of the panel interface and detailing its features.

The Lynx affiliate panel includes multiple sections, including a news page with updates about the RaaS operation and new ransomware features, a "companies" section for affiliates to track and manage their victims, a chat tab to communicate and negotiate with victims, and a leaks section to prepare publications of data from victims who have not paid a ransom.

There is also a “stuffers” section where affiliates can share access to the affiliate panel with sub-affiliates or collaborators by providing each “stuffer” with their own unique login to help coordinate attacks.

When targeting a victim company, an affiliate can use the companies tab to create a victim profile that includes details such as company name, ZoomInfo link, country, number of employees, yearly revenue and ransom amount.

The attacker can then manage each victim case by setting up a company chat for each victim, adjusting the ransom price, banning further negotiations, deleting messages and creating custom versions of the Lynx ransomware that are specific to each victim.

The researchers also discovered in their investigation that affiliates are given access to an “All-in-One Archive” of ransomware binaries, enabling cross-platform attacks against Windows and Linux environments and different architectures, including x86, ARM, MIPS, PPC and ESXi.

The versatile ransomware toolkit enables affiliates to attack corporate networks with heterogenous architectures and environments. The researchers noted that the Linux version of the ransomware has not previously been seen in the wild.

As of September 2024, the Lynx ransomware had four encryption modes affiliates can choose from: fast, medium, slow or entire. The ransomware uses a combination of Curve25519 Donna and AES-128 for encryption.

In the same September update, the Lynx operators added a new clear web domain for chats with victim companies, which can be accessed through standard web browsers rather than specialized browsers like Tor.

Group-IB noted that the Lynx RaaS operation is “structured and professionalized,” offering a competitive 80% revenue cut for affiliates. The affiliate program was first advertised on the Russian cybercrime forum RAMP in May 2024.

The Windows version of the Lynx ransomware was previously analyzed by researchers at Nextron Systems, Palo Alto Networks’ Unit 42 and Rapid7, which discovered similarities between the Lynx malware and the ransomware used by the INC Ransom gang. Binary diff analyses found an overall 48% similarity between the two strains and a 70.8% similarity in functions, suggesting that Lynx may have purchased the INC Ransom source code when it was sold in May 2024.

The Linux version obtained and analyzed by Group-IB also showed similarities to the Linux version of INC Ransom’s malware, with an overall similarity of 87% and 91% overlap in functions.

Group-IB’s infiltration of the Lynx affiliate program comes months after the company’s researchers also infiltrated the Cicada3301 ransomware program, revealing details about the nascent RaaS group’s operations. Like Lynx, Cicada3301 provides affiliates with different encryption speed options, ransomware versions for Windows, Linux, ESXi and more, and panel tabs to manage victim companies and chats.