Lynx ransomware has been highly active in 2025 following its emergence in July 2024. Operating as a Ransomware-as-a-Service (RaaS) group, Lynx is believed to be a rebrand of INC ransomware, maintaining similar encryption methods while refining the leak site operations and ransom negotiations.

From MOXFIVE’s experience, threat actors delivering Lynx have primarily relied on phishing and exploiting vulnerabilities in remote access VPN solutions for initial access. Once inside, they disable security defenses, encrypt files, and use a multi-layered extortion strategy to pressure victims. While Professional Services, Manufacturing, Food & Beverage, and Technology have beenamong the most frequently targeted industries, Lynx ransomware has impactedorganizations across various other sectors as well.

Like many ransomware operations, Lynx maintains a dedicated leak site to pressure victims into payment. The following screenshots highlight recent postings, showcasing the group’s ongoing activity. 

Figure 1: Data leak site for Lynx Ransomware.

Figure 2: Detailed view of publication (Publish Date, Description, Category, Income, and Screenshots)

Key Highlights

‍Targeted Industries: Threat actors deploying Lynx ransomware have successfully impacted organizations across multiple industries. In 2025, primary targets have been organizations within the Professional Services and Manufacturing sectors. Additional campaigns have also reached organizations in the Food & Beverage and Technology sectors. 

Global Insights: Recent incidents involving Lynx ransomware have predominantly affected organizations in the United States. In addition, threat actors behind these operations have also targeted organizations in many other regions, notably the United Kingdom, Sweden, Australia, and Singapore. 

Tactics, Techniques, and Procedures: Threat actors delivering Lynx ransomware have gained initial access through phishing and VPN exploitation. Credential harvesting through phishing emails enables unauthorized network access, while in some incidents, vulnerabilities in remote access VPN solutions have been exploited to infiltrate environments.

Once inside, threat actors take steps to weaken security defenses and hinder recovery efforts:

• Process and Service Management: Threat actors terminate anti-virus tools and backup-related processes toevade detection.
• Shadow Copy Deletion: Backup shadow copies are deleted, reducing recovery options.

File Encryption & Extortion Tactics: Lynx ransomware encrypts local files, network shares, and hidden drives, appending a .lynx extension to affected files. The malware supports custom execution flags, allowing threat actors to target specific directories, terminate processes, and encrypt network shares. After encryption, ransom notes—typically named README.txt or README_2.txt—are left on compromised systems. These notes often include:

• A link to Lynx .onion chat site for negotiations.
• A unique access ID for authentication.
• Alternative contact methods, such as an email address or additional Tor mirrors.

To maximize visibility, threat actors have also been observed sending ransom notes to all available printers and modifying desktop backgrounds to display the ransom demand. Lynx follows a double extortion strategy, encrypting files while also threatening to leak stolen data. The group maintains a public leak site, where stolen data from non-paying victims is published to increase pressure.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.