Lynx Ransomware Infrastructure To Attack Windows, Linux, ESXi & Affiliate Panel Uncovered

Security experts has uncovered the sophisticated infrastructure of the Lynx Ransomware-as-a-Service (RaaS) group in a recent investigation.

This ransomware group is Known for its cross-platform capabilities and affiliate-driven model.

Lynx targets Windows, Linux, and VMware ESXi environments, posing a significant threat to businesses worldwide.

Lynx operates through a highly organized affiliate program that provides its partners with a user-friendly panel divided into sections like “News,” “Companies,” “Chats,” “Stuffers,” and “Leaks.”

Affiliates can configure victim profiles, generate custom ransomware samples, and manage data-leak schedules.

Security researchers at Group-IB noted that the group offers incentives to affiliates with an 80% share of ransom proceeds, offering additional tools like call centers to harass victims and advanced storage solutions for high-performing affiliates.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Cross-Platform Arsenal

The ransomware includes an “All-in-One Archive” containing binaries for multiple architectures such as x86, ARM, MIPS, PPC, and ESXi.

This ensures compatibility across diverse systems within corporate networks. The malware employs robust encryption algorithms—Curve25519 Donna for key exchange and AES-128 in CTR mode for file encryption. Encrypted files are appended with the “.lynx” extension.

Affiliates can choose from four encryption modes: “fast,” “medium,” “slow,” and “entire.” These options allow attackers to balance encryption speed against the extent of data encrypted.

For example, the “medium” mode encrypts 1MB for every 6MB of a file, while the “entire” mode encrypts all data.

This flexibility maximizes operational efficiency during attacks. While apart from this the ransom note is base64 encoded and the ransom note is embedded in the binary.

Lynx ransomware is particularly adept at targeting VMware ESXi environments. It can terminate virtual machines using their World IDs and delete snapshots to hinder recovery efforts. This capability disrupts enterprise operations and complicates data restoration.

Lynx employs a double extortion strategy: encrypting victims’ data while exfiltrating sensitive information. If the ransom is not paid, the stolen data is published on a dedicated leak site (DLS). This tactic increases pressure on victims to comply with ransom demands.

Here below we have mentioned all the technical features:-

• Process Termination: Lynx targets backup and database-related processes like SQL, Veeam, and Exchange to prevent interference during encryption.
• Privilege Escalation: It enables “SeTakeOwnershipPrivilege” to gain administrative control over files.
• Shadow Copy Deletion: Using Windows APIs like DeviceIoControl, it deletes volume shadow copies to inhibit recovery.
• Multithreading: The ransomware creates threads equal to four times the number of CPU cores for faster encryption.

To mitigate the threat posed by Lynx ransomware, organizations should implement MFA for critical accounts and regularly update software to patch known vulnerabilities.

Deploying advanced EDR solutions can enhance security, while maintaining offline backups and testing them periodically ensures data recovery in case of an attack.

Besides this, conducting employee training on phishing awareness helps prevent ransomware infections by reducing human error.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request