FacebookTwitterLinkedIn

Lynx Ransomware's Secretive RaaS Revealed

Karolis Liucveikis Written by on

Even now, in 2025, ransomware is still one of the most profitable cyber threats for threat actors with the skills to implement attacks. Due in part to this profitability, the threat's evolution continues at breakneck speeds, leaving organizations struggling to defend their digital assets.

This is only fueled further by ransomware developers' rapid adoption of Ransomware-as-a-Service (RaaS), promising affiliates an impressive share of the profit for gaining access to enterprise networks and encrypting data.

Lynx Ransomware's Secretive RaaS Revealed

RaaS operations tend to be a hard nut to crack for security researchers to analyze, as affiliates are thoroughly vetted, and the most prolific RaaS operations place operational security high up the agenda. Fortunately, Group-IB has managed to gain access behind the curtain of the Lynx RaaS. In a recent blog post, much of the threat group's inner workings have been revealed.

Lynx stands out from many of its competitors due to its highly organized platform, structured affiliate program, and robust encryption methods. From Group-IB's successful infiltration of Lynx's RaaS structures, they discovered the ransomware gang makes life a lot easier by using a fully featured affiliate panel.

The panel that resembles many current web apps consists of multiple sections; these include "News," "Companies," "Chats," "Stuffers," and "Leaks," each serving a clear purpose. Affiliates can configure victim profiles, generate custom ransomware samples, and even manage data leak schedules within a single, user-friendly interface.

Another of Lynx's standout features is its cross-platform capabilities, which supplement its double extortion tactics.

Researchers stated,

Lynx provides affiliates with a comprehensive “All-in-One Archive,” containing binaries for Windows, Linux, and ESXi environments, covering a range of architectures (ARM, MIPS, PPC, etc.). This multi-architecture approach ensures broad compatibility and maximizes the impact of attacks in heterogeneous networks.

And, regarding the now infamous double extortion approach,

Affiliates are incentivized with an 80% share of ransom proceeds, reflecting a competitive, recruitment-driven strategy. Lynx’s panel includes a dedicated leak site (DLS) where stolen data is publicly exposed if ransoms go unpaid, adding critical pressure on victims to comply.

Lynx developers have also now added three encryption modes to affiliates, these being "fast," "medium," "slow," and "entire." In practice, this allows the affiliate to adjust the trade-off between speed and depth of file encryption.

As for the encryption standards used by Lynx, the ransomware utilizes a multithreaded approach to speed up the encryption process by creating a number of threads equal to four times the number of CPU cores available on the victim's system. It uses the Windows I/O Completion Port mechanism to manage asynchronous I/O operations efficiently.

Importantly, this allows threads to handle both disk read and write tasks without blocking the encryption process. The ransomware combines Curve25519 Donna and AES-128 in CTR for file encryption and then renames the file with a .LYNX extension.

Post-encryption, the malware performs the following steps, from changing the desktop wallpaper of the compromised machine to the generated ransom note and attempting to print the ransom note on connected printers. To attempt this, the malware enumerates all the local printers, excluding "Microsoft Print to PDF" and "Microsoft XPS Document Writer," and sends the ransomware note as a print job to them.

The ransomware also attempts to delete shadow copies to make recovery efforts harder and help push the victim towards paying the ransom. Shadow copies are deleted by resizing the maximum amount of volume shadow copy storage space.

Recruitment Drive

Group-IB researchers discovered a post on an underground hacking forum where a Lynx admin was looking to recruit new affiliates. The recruitment drive prioritized experienced penetration testing teams. The post explained Lynx in a fairly detailed manner, at least for illegal operations.

From the translation from Russian, provided by Group-IB, the admin said,

We offer an 80/20 split in your favor. You handle all negotiations, the wallet is yours, and we do not interfere in the process.
 We have our own call service (“прозвон”) that will harass the target (extra %).
 In the near future, we are completing a persistent tool that will be provided to our teams.
 We also have a simple killer (doesn’t include solutions for CrowdStrike or Sentinel).
 We are ready to provide storage for files to active teams.
 We can provide materials for work if you show good results.
Teams without a reputation will be offered several options to pass “white” verification.
 We do not work in the CIS, Ukraine, China, Iran, or North Korea, nor do we target entities responsible for the livelihood of civilians (healthcare), government institutions, churches, or children’s charities (non-profits).

Lynx has emerged as a formidable RaaS over the years it has operated. Several factors have led to the ransomware gang's success, including combining a versatile arsenal of ransomware builds, a structured affiliate ecosystem, and systematic extortion tactics.

The panel provides features for affiliates to make life easier, including victim management and scheduled leak publications. This demonstrates a professional and industrial-scale approach to cybercrime.

In analyzing the code, researchers discovered significant overlaps with the INC ransomware variant, in particular the code's features to target Linux ESXI servers. Researchers believe this strongly suggests that Lynx may have purchased or adapted the INC ransomware source code, enabling them to build upon the malware's existing capabilities.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog