Affiliates receive an 80% share of ransom proceeds, handle all negotiations and maintain control over the ransom wallet. Lynx also offers additional services, such as a call center to harass victims and advanced storage solutions for high-performing affiliates.

Lynx’s affiliate panel is organized into multiple sections, including “News,” “Companies,” “Chats,” “Stuffers” and “Leaks.” This design allows affiliates to configure victim profiles, generate custom ransomware samples and manage data leak schedules within a user-friendly interface.

The Lynx Ransomware-as-a-Service (RaaS) group has been found operating a highly organized platform, complete with a structured affiliate program and robust encryption methods. Researchers at Group-IB gained access to the group’s affiliate panel, revealing the inner workings of this sophisticated cyber-threat.

Affiliates receive an 80% share of ransom proceeds, handle all negotiations and maintain control over the ransom wallet. Lynx also offers additional services, such as a call center to harass victims and advanced storage solutions for high-performing affiliates.

Cross-Platform Ransomware and Customizable Encryption

The group also provides an “All-in-One Archive” containing binaries for Windows, Linux and ESXi environments, covering a range of architectures, including ARM, MIPS and PPC. This multi-architecture approach ensures broad compatibility and maximizes the impact of attacks in diverse networks.

Lynx has recently introduced multiple encryption modes – “fast,” “medium,” “slow” and “entire” – allowing affiliates to balance speed and depth of file encryption. The ransomware employs robust encryption algorithms, including Curve25519 Donna and AES-128.

Professional Recruitment and Double Extortion

The group actively recruits experienced penetration testing teams through underground forums, emphasizing a stringent verification process.

They do not target entities responsible for the livelihood of civilians, such as healthcare institutions, government bodies, churches or non-profits.

Lynx employs double extortion tactics, encrypting victims’ data and threatening to leak it on their dedicated leak site (DLS) if ransoms are not paid. The DLS serves as a platform where attackers publish announcements about attacks and disclose leaked data from their victims.

“Lynx has emerged as a formidable RaaS operator by combining a versatile arsenal of ransomware builds, a structured affiliate ecosystem and systematic extortion tactics,” Group-IB wrote.

“In-depth analysis revealed a significant code overlap with INC ransomware [...]. This strongly indicates that Lynx may have purchased or adapted the INC ransomware source code, enabling them to build upon existing malware capabilities. For organizations, this underscores the importance of continually updating incident response procedures, investing in real-time threat intelligence and fostering a security-first culture.”

Read more on ransomware operations: The Top 10 Most Active Ransomware Groups of 2024