LYNX Ransomware Escalates Global Campaign with Eight New Victims

The LYNX ransomware group, a successor to the INC ransomware operation, has intensified its global extortion campaign by adding eight new victims to its dark web portal.

The latest targets span multiple industries and geographies, including companies in Sweden, France, the Netherlands, the United States, and Singapore.

This development underscores the group’s evolving tactics and widening reach despite its claims of avoiding “socially important” sectors.

Expanding Target Base Across Critical Industries

According to the post from LYNX’s newest victims include Hamton AB and Hisingstads Bleck- och Plåtslageri AB, two Swedish manufacturing firms specializing in metalwork; IDEA Expertises, a French consulting agency; and Lintec & Linnhoff, a Singapore-based construction supplier.

The ransomware group also listed Leadership Strategies, a U.S. corporate training firm, and Autoschade Pippel BV, a Dutch auto repair chain.

These breaches highlight LYNX’s focus on small-to-medium enterprises (SMEs) in sectors like manufacturing, professional services, and logistics—industries where operational disruptions can lead to rapid ransom payments.

The group employs double extortion tactics, encrypting victims’ data while threatening to leak sensitive information on its Tor-based leak site, lynxblog[.]net. Recent analyses reveal that LYNX uses customizable encryption modes (“fast,” “medium,” “slow,” and “entire”) to balance speed and thoroughness during attacks, a feature that enhances its adaptability across diverse networks.

Security researchers at Group-IB note that affiliates controlling these attacks retain 80% of ransom proceeds, incentivizing aggressive targeting.

Geographical Spread Signals Strategic Shifts

LYNX’s latest victims mark a notable expansion into Singapore and the Netherlands, regions previously less emphasized in its campaigns.

While the group has predominantly targeted North American and European organizations since its July 2024 emergence, the inclusion of Lintec & Linnhoff represents its first major breach in Southeast Asia.

This geographical diversification aligns with its Ransomware-as-a-Service (RaaS) model, which enables affiliates to deploy cross-platform malware compatible with Windows, Linux, and ESXi systems.

The ransomware’s codebase, shared with its predecessor INC, allows for rapid adaptation. Palo Alto Networks’ Unit 42 team identified a 70.8% function overlap between LYNX and INC ransomware, suggesting code reuse to accelerate development.

This shared infrastructure facilitates attacks on global networks, particularly in regions with growing digital economies but uneven cybersecurity investments.

Broader Implications for Cybersecurity Defenses

Despite LYNX’s claims of ethical targeting—avoiding healthcare, government, and non-profits—its aggressive tactics mirror those of conventional ransomware groups.

The group terminates backup-related processes, deletes shadow copies, and disables security software to maximize encryption efficiency.

For example, in the Leadership Strategies breach, LYNX operators likely employed phishing campaigns or exploited unpatched vulnerabilities to gain initial access, a common vector in utility-sector attacks.

Cybersecurity firms emphasize proactive measures:

• Network segmentation to limit lateral movement
• Multi-factor authentication to curb credential theft
• Real-time threat detection for rapid incident response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged LYNX’s growing sophistication, urging organizations to audit remote access protocols and update endpoint protections.

With 96 victims listed on its leak site as of January 2025, LYNX’s operations show no signs of slowing.

As the group refines its affiliate-driven model, global enterprises face mounting pressure to fortify defenses against this persistent, evolving threat.

Also Read:

SkyWave Claims Major Breach of Saudi Military and Government Data

See more