SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lynx (Back to overview)

Lynx

VTCollection    

According to Nextron, Lynx ransomware is a sophisticated malware threat that has been active since mid-2024. Lynx has claimed over 20 victims across a range of industries. Once it infiltrates a system, it encrypts critical files, appending a ‘.lynx’ extension, and deletes backup files like shadow copies to hinder recovery. Uniquely, it also sends the ransom note to available printers, adding an unexpected element to its attack strategy. This malware shares similarities with previous INC ransomware, indicating that they bought INC ransomware source code.

References
2025-08-27eSentireeSentire Threat Response Unit (TRU)
Threat Actors Deploy Sinobi Ransomware via Compromised SonicWall SSL VPN Credentials
Lynx Sinobi
2025-03-26ISH Tecnologia0x0d4y, Ismael Rocha
ffdgf
Lynx
2025-01-28Group-IBNikolay Kichatov, Pietro Albuquerque, Sharmine Low
Cat’s out of the bag: Lynx Ransomware-as-a-Service
Lynx
2024-10-11Nextron SystemsNextron Threat Research Team
In-Depth Analysis of Lynx Ransomware
Lynx
2024-10-10paloalto Netoworks: Unit42Benjamin Chang, Micah Yates, Pranay Kumar Chhaparwal
Lynx Ransomware: A Rebranding of INC Ransomware
INC Lynx
Yara Rules
[TLP:WHITE] win_lynx_auto (20260504 | Detects win.lynx.)
rule win_lynx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lynx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lynx"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7014 ff15???????? f0ff05???????? 8b8c24ec010000 5f 5e 5b }
            // n = 7, score = 100
            //   ff7014               | push                dword ptr [eax + 0x14]
            //   ff15????????         |                     
            //   f0ff05????????       |                     
            //   8b8c24ec010000       | mov                 ecx, dword ptr [esp + 0x1ec]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_1 = { 8d8d60ffffff 0f1185d0fdffff 0f108570ffffff 0f1185e0fdffff }
            // n = 4, score = 100
            //   8d8d60ffffff         | lea                 ecx, [ebp - 0xa0]
            //   0f1185d0fdffff       | movups              xmmword ptr [ebp - 0x230], xmm0
            //   0f108570ffffff       | movups              xmm0, xmmword ptr [ebp - 0x90]
            //   0f1185e0fdffff       | movups              xmmword ptr [ebp - 0x220], xmm0

        $sequence_2 = { 239d40fdffff 8bc6 23852cfdffff 8bd6 33d8 c1ea0e }
            // n = 6, score = 100
            //   239d40fdffff         | and                 ebx, dword ptr [ebp - 0x2c0]
            //   8bc6                 | mov                 eax, esi
            //   23852cfdffff         | and                 eax, dword ptr [ebp - 0x2d4]
            //   8bd6                 | mov                 edx, esi
            //   33d8                 | xor                 ebx, eax
            //   c1ea0e               | shr                 edx, 0xe

        $sequence_3 = { 57 ff15???????? be???????? 660f1f840000000000 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   be????????           |                     
            //   660f1f840000000000     | nop    word ptr [eax + eax]

        $sequence_4 = { 50 a1???????? 56 ffd0 8bce e8???????? 56 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   a1????????           |                     
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_5 = { 0f118570ffffff 8d85d0fbffff b924000000 0f104220 8dbdd8fbffff 898528fbffff f3a5 }
            // n = 7, score = 100
            //   0f118570ffffff       | movups              xmmword ptr [ebp - 0x90], xmm0
            //   8d85d0fbffff         | lea                 eax, [ebp - 0x430]
            //   b924000000           | mov                 ecx, 0x24
            //   0f104220             | movups              xmm0, xmmword ptr [edx + 0x20]
            //   8dbdd8fbffff         | lea                 edi, [ebp - 0x428]
            //   898528fbffff         | mov                 dword ptr [ebp - 0x4d8], eax
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_6 = { e8???????? 83a6708f420000 59 83c604 81fe00020000 72dd b001 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83a6708f420000       | and                 dword ptr [esi + 0x428f70], 0
            //   59                   | pop                 ecx
            //   83c604               | add                 esi, 4
            //   81fe00020000         | cmp                 esi, 0x200
            //   72dd                 | jb                  0xffffffdf
            //   b001                 | mov                 al, 1

        $sequence_7 = { 50 ff15???????? 8bf8 85ff 7511 50 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7511                 | jne                 0x13
            //   50                   | push                eax

        $sequence_8 = { 018568fdffff 3b9d70fcffff 1bc0 f7d8 018568fdffff 3bca 8b9568fdffff }
            // n = 7, score = 100
            //   018568fdffff         | add                 dword ptr [ebp - 0x298], eax
            //   3b9d70fcffff         | cmp                 ebx, dword ptr [ebp - 0x390]
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   018568fdffff         | add                 dword ptr [ebp - 0x298], eax
            //   3bca                 | cmp                 ecx, edx
            //   8b9568fdffff         | mov                 edx, dword ptr [ebp - 0x298]

        $sequence_9 = { 56 ff15???????? 85c0 0f845cffffff 837c242401 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f845cffffff         | je                  0xffffff62
            //   837c242401           | cmp                 dword ptr [esp + 0x24], 1

    condition:
        7 of them and filesize < 363520
}
Download all Yara Rules