![sixos: A nix OS without systemd [video]](https://static.media.ccc.de/media/congress/2024/690-6df243b9-ad58-5d92-9104-54ff6076608d_preview.jpg)
Inside Lynx RaaS: How Affiliates Innovate in the Cybercrime Ecosystem
Inside Lynx RaaS: How Affiliates Innovate in the Cybercrime Ecosystem - Malware Update
Ransomware-as-a-Service (RaaS) is evolving at an alarming pace, driving increasingly sophisticated cybercrime across Europe. One of the most prolific players in this space, the Lynx RaaS group, is reshaping ransomware operations with a powerful affiliate-driven model, advanced encryption capabilities, and a robust, user-friendly ecosystem.
In Group-IB's latest research blog, we uncover for the first time how Lynx operates, revealing their affiliate workflow, cross-platform ransomware arsenal, customizable encryption techniques, and professional recruitment practices.
Key insights include:
Structured RaaS Panel and Workflow: Lynx's affiliate panel is divided into multiple sections (e.g. "News," "Companies," "Chats," "Stuffers," and "Leaks"), each serving a clear purpose. Affiliates can configure victim profiles, generate custom ransomware samples, and even manage data-leak schedules within a single, user-friendly interface.
Cross-Platform Ransomware Arsenal: Lynx provides affiliates with a comprehensive "All-in-One Archive," containing binaries for Windows, Linux, and ESXi environments, covering a range of architectures (ARM, MIPS, PPC, etc.). This multi-architecture approach ensures broad compatibility and maximizes the impact of attacks in heterogeneous networks.
Affiliate Features and Double Extortion: Affiliates are incentivized with an 80% share of ransom proceeds, reflecting a competitive, recruitment-driven strategy. Lynx's panel includes a dedicated leak site (DLS) where stolen data is publicly exposed if ransoms go unpaid, adding critical pressure on victims to comply.
Customizable Encryption Techniques: Lynx recently added multiple encryption modes: "fast," "medium," "slow," and "entire", giving affiliates the freedom to adjust the trade-off between speed and depth of file encryption. The use of Curve25519 Donna and AES-128 encryption emphasizes Lynx's focus on robust, proven cryptography.
Professional Recruitment and Vetting: The group's recruitment posts on underground forums emphasize a stringent verification process for pentesters and skilled intrusion teams, highlighting Lynx's emphasis on operational security and quality control. They also offer "call centers" for harassing victims and advanced storage solutions for affiliates who consistently deliver profitable results.
The research blog depicts a threat actor profile, including modus operandi, notable features, and the countries targeted-including the United Kingdom, Luxembourg, Italy, Belgium, and France.
Ransomware attacks are surging across Europe, with critical sectors such as healthcare, finance, logistics, and manufacturing increasingly targeted. Lynx's sophisticated affiliate model amplifies these threats, making it vital for organizations to understand the mechanics of RaaS operations.
