Lynx Ransomware Threat Profile Analysis

This document is a technical report detailing the threat profile of Lynx Ransomware, first identified in July 2024. It outlines the operational style of Lynx as a Ransomware-as-a-Service (RaaS) model, which includes an 80/20 split of ransom payments and additional services for affiliates. The report describes the double extortion method employed by Lynx, combining data encryption with the threat of data leakage. It identifies the primary target industry as manufacturing and the main operational region as North America. The report also discusses the group's associations with other ransomware operations, such as INC Ransom, and highlights their use of various tactics for initial access, persistence, and lateral movement within victim networks. Additionally, the document presents technical details regarding the ransomware's encryption methods, operational tools, and the similarities with other ransomware variants. The report concludes with an assessment of the potential future impact of Lynx Ransomware on critical infrastructures worldwide.