Detecting Lynx Ransomware with Wazuh

Lynx ransomware is an advanced malware threat that has been active since mid-2024, impacting over 20 victims across multiple industries. It primarily targets Windows operating systems, encrypting files using the Advanced Encryption Standard (AES) with a 128-bit key in CTR mode. Additionally, it employs a double extortion technique, threatening to leak stolen data unless a ransom is paid.

Operated by the Lynx ransomware group, this ransomware spreads through phishing emails, software exploits, and malicious advertisements, making it highly adaptable to different attack vectors. Once deployed, it drops ransom notes demanding cryptocurrency payments. The group markets itself as “ethical,” claiming to exclude healthcare and government sectors while focusing on corporate targets.

Lynx Ransomware Behavior

Lynx ransomware provides attackers with execution flexibility, allowing them to customize attacks using runtime arguments. These options enable precise targeting, including the selection of specific files and directories, encryption of network drives, and termination of key services and processes.

Upon infecting a Windows endpoint, Lynx ransomware follows a structured attack sequence:

1. Terminate Services. The ransomware stops specific services if they are active on the affected system. These include: Backup, Exchange, SQL, Notepad, Veeam, and Java.

2. Encrypt Files. Lynx ransomware encrypts files on the infected system while excluding those with the following extensions: .dll, .exe, .msi, and .lynx. It also bypasses files stored in:

$RECYCLE.BIN
AppData
Program Files
Program Files (x86)

Encrypted files are marked with the .LYNX extension.

3. Create Ransom Note. The ransomware generates a README.txt ransom note in every folder it scans, informing victims of the attack and ransom demands.

This article explains how Wazuh SIEM and XDR can be used to detect and respond to Lynx ransomware threats.