First discovered on July 17, 2024, Lynx ransomware quickly made a name for itself by targeting high-profile U.S. companies and extorting millions in ransom payments.
Built on the remnants of Quantum and MountLocker, Lynx is now a more organized and aggressive threat, one that zeroes in on environments where disruption and data exposure could be catastrophic.
Who’s Being Targeted
Organizations in healthcare, finance, education, real estate, manufacturing, and more have found themselves in Lynx’s sights. The group uses double extortion tactics, encrypting critical systems and threatening to leak stolen data on their Dedicated Leak Site (DLS) if victims refuse to pay.
For companies handling sensitive client data, this isn’t only a technical issue but also a potential crisis. A public leak could lead to reputational damage, regulatory fines, and lost customer trust. Lynx uses this fear to ramp up pressure and successfully maximizes payouts.
What Makes Lynx Different?
Lynx stands out for how organized it is. It operates as a Ransomware-as-a-Service, but with a strict vetting process for affiliates. Only skilled intruders get in, and the most “profitable” ones are rewarded with better tools and even call center support to pressure victims.
They also take operational security seriously using encrypted channels, custom builds per affiliate, and constantly updating their leak site.
Real-World Example of Lynx Ransomware Attack
A real-world example of a Lynx ransomware attack can be examined inside isolated environments like sandboxes, which allow analysts to safely observe how the malware behaves.
Visual Indicators: The Ransom Note
Inside ANY.RUN’s interactive sandbox, we can see Lynx in action. Once executed, the background of the virtual machine changes to black, displaying a ransom note. It informs the victim that their data has been encrypted and instructs them to download the Tor browser to contact the attackers.
Lynx Ransomware changing the background inside ANY.RUN sandbox
File Encryption Behavior
The sandbox also reveals how the malware begins encrypting files on the system, systematically locking data and changing file extensions to .LYNX, making them inaccessible without the decryption key.
The Files modification tab shows all the file system activity logged during the analysis
Network and Storage Reach
The ransomware is capable of encrypting mounted drives, shared folders, and specific network resources, ensuring widespread damage.
| Equip your team with a secure environment to safely analyze suspicious files and respond to threats faster and with greater confidence. Sign up for ANY.RUN now |
Recovery Prevention Techniques
To make recovery nearly impossible, it also deletes shadow copies and backup partitions, cutting off common methods of restoring data without paying the ransom.
Lynx malicious process analysis in the ANY.RUN sandbox
This kind of analysis helps security teams observe the attack step-by-step, identify indicators of compromise, and understand how threats like Lynx operate, which is crucial for timely response, stronger defenses, and minimizing business disruption.
Stay Prepared
Lynx is just one example of how ransomware continues to evolve – faster, smarter, and more disruptive. Having visibility into how these threats work is key to defending your systems and protecting sensitive data.
Try it for yourself: register with ANY.RUN and start exploring threats in real time.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
