The Lynx Ransomware group has been increasingly active, employing sophisticated social engineering techniques and exploiting various vulnerabilities to conduct ransomware attacks on large organisations. Their TTPs include impersonation of IT staff and the abuse of legitimate tools to gain unauthorised access, culminating in data encryption and exfiltration. This post presents a technical analysis of a newly identified Lynx ransomware binary and outlines mitigation strategies.<\/p>\n
During an incident response engagement, CybaVerse identified a binary named 1.exe linked to the Lynx group.<\/p>\n
Upon dynamic analysis, its process tree includes:<\/p>\n
The malware systematically encrypts files, appending a .lynx extension (e.g., C:UsersuserDocumentsfile1.docx.lynx). It generates numerous high-entropy files (entropy ~7.99), a hallmark of encryption, and targets system drives and user directories. It also checks for available drives, possibly to infect removable media and deletes Volume Shadow Copies to hinder recovery.<\/p>\n
A ransom note, README.txt, is deployed across directories such as:<\/p>\n
The note attributes the attack to the “Lynx Group” and lists Tor onion addresses for payment negotiation:<\/p>\n
Victims are given seven days to comply.<\/p>\n
The malware alters the desktop wallpaper by setting HKEY_CURRENT_USERControl PanelDesktopWallpaper to C:UsersuserAppDataLocalTempbackground-image.jpg, displaying a ransom message.<\/p>\n
It also creates icon files (e.g., folder.ico, pictures.ico) in C:ProgramDataMicrosoftDevice StageTask{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}, possibly to modify folder appearances and enhance visibility of the infection.<\/p>\n
One notable technique is the malware\u2019s launch of ONENOTE.EXE with the command:<\/p>\n
\/insertdoc “C:UsersuserAppDataLocalMicrosoftWindowsINetCache{540D88F3-8A93-4D49-BAE3-48CD9A1ACD8D}.xps” 133953414633960000<\/p>\n
This instructs OneNote to process an XPS document from the browser cache.<\/p>\n
Subsequently, OfficeC2RClient.exe is spawned with:<\/p>\n
OfficeC2RClient.exe \/error PID=10800 ProcessName=”Microsoft OneNote” UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1<\/p>\n
The error code 0x800c0006 indicates a processing failure.<\/p>\n
Beyond Tor addresses as mentioned above, the malware triggers DNS queries to ecs-office.s-0005.dual-s-msedge.net (resolving to 52.123.129.14 and 52.123.128.14), likely incidental Office telemetry rather than command-and-control traffic.<\/p>\n
No command-and-control activity was observed.<\/p>\n
The report maps behaviours to:<\/p>\n
The Lynx ransomware variant demonstrates a calculated, multi-stage attack chain leveraging legitimate tools such as Microsoft OneNote, custom encryption logic, and aggressive system modification to maximise impact and reduce recovery options. Its integration of high-entropy encryption, shadow copy deletion, and Tor-based negotiation portals aligns with tactics seen in mature RaaS operations.<\/p>\n
The Lynx Ransomware group has been increasingly active, employing sophisticated social engineering techniques and exploiting various vulnerabilities to conduct ransomware attacks on large organisations. Their TTPs include impersonation of IT staff and the abuse of legitimate tools to gain unauthorised access, culminating in data encryption and exfiltration. This post presents a technical analysis of a[\u2026] Read