Agrochemical distributor Harrell’s, LLC has become the latest victim of the Lynx ransomware group, with attackers leaking unredacted screenshots of a 100GB data trojan on the Dark Web Informer platform.
The breach, detected on March 12, 2025, marks another escalation in the ransomware-as-a-service (RaaS) group’s global campaign targeting critical industries.
Attack Vector and Initial Compromise
The Lynx group likely infiltrated Harrell’s network through phishing emails or exploited Remote Desktop Protocol (RDP) vulnerabilities, leveraging credential-stuffing attacks to gain initial access.
Once inside, attackers deployed Lynx’s signature hybrid encryption—combining AES-256 for file encryption and RSA-2048 for secure key exchange.
The ransomware appended the.LYNX extension to encrypted files and systematically erased Volume Shadow Copies to thwart recovery efforts.
Notably, Lynx’s operators utilized the Restart Manager API to terminate processes locking critical files, ensuring maximum encryption efficiency.
Forensic analysis revealed the attackers executed the payload to propagate across connected drives and shared folders.
Double Extortion and Dark Web Leaks
Before encryption, Lynx exfiltrated approximately 100GB of sensitive data, including:
- Financial records and procurement contracts
- Proprietary chemical formulations
- Employee Personally Identifiable Information (PII)
- Client distribution agreements
Unredacted screenshots published on Lynx’s dark web leak site displayed folder structures labeled “HR_Payroll_2025” and “Client_Pricing_Models,” corroborating the breach’s scope.
The group threatened to release additional batches weekly unless a ransom—reportedly exceeding $15 million in Monero—is paid.
Technical Analysis of Lynx’s Encryption Protocol
Lynx’s encryption process follows a cryptoviral extortion model:
- Key Generation: A Curve25519 ECC public key decodes via Base64, establishing a shared secret through Diffie-Hellman key exchange.
- Key Expansion: The derived secret undergoes SHA-512 hashing to generate AES round keys via AESKeyExpansion.
- Hybrid Encryption: Files are encrypted with AES-256, while symmetric keys are secured via RSA-2048—a tactic enabling offline encryption and complicating decryption without attackers’ private keys.
The malware also replaced Harrell’s desktop wallpaper with background-image.jpg, embedding a ransom note instructing victims to contact the group via Tor-based .onion portals.
Mitigation and Industry Response
Cybersecurity firm Darktrace emphasized Lynx’s “drip” extortion tactics, where attackers gradually leak data to pressure victims.
Recommendations include:
- Isolate Affected Systems: Disconnect infected endpoints to prevent lateral movement via Mimikatz-powered credential harvesting.
- Review Backup Integrity: Ensure backups are air-gapped and immutable, as Lynx targets backup repositories.
- Patch RDP Vulnerabilities: Fortify remote access points with MFA and network segmentation.
Harrell has yet to confirm whether negotiations are underway, though Lynx’s leak site lists a 72-hour countdown for full data disclosure.
Broader Implications
This attack underscores Lynx’s evolution from its INC ransomware origins, now offering affiliates an 80% profit share via its RaaS platform.
With 137 confirmed victims since July 2024—including law firms and energy providers—the group continues exploiting gaps in mid-sized enterprises’ cybersecurity postures.
As ransomware incidents surge, Harrell’s breach serves as a stark reminder of hybrid encryption’s destructive potential and the critical need for proactive threat hunting in industrial sectors.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Harrell’s, LLC has become the latest victim of the Lynx ransomware group, with attackers leaking unredacted screenshots.){kind=link}