rule INC_Lynx_Affiliate_ransomware_1 { meta: description = "Detects INC/Lynx Affiliate ransomware" author = "RansomwareMonitor" date = "2026-03-06" hash = "95e3f9e2e9229e0bf56d87c92187d7c2efa3227cd5315247b91802eaee735c58" strings: $s0 = "TOX:" nocase $s1 = "DECRYPT" nocase $r2 = /[A-Za-z0-9]{56}\.onion/ $r3 = /[A-Za-z0-9]{56}\.onion/ $s4 = "ChaCha20" nocase $s5 = "TOX:" nocase $s6 = "ENCRYPTED" nocase $s7 = ".onion" nocase condition: uint16(0) == 0x5A4D and filesize < 5MB and 3 of them } rule INC_Lynx_Affiliate_ransomware_2 { meta: description = "Detects INC/Lynx Affiliate ransomware" author = "RansomwareMonitor" date = "2026-03-06" hash = "df1e112f98cb8dcb68a90f3093324a723ba3e7eb4d5650fb8a517a93651c1f3c" strings: $s0 = "::::" nocase $h1 = { 1D 79 C5 ED D4 78 F9 12 15 7D EA 7E 8E 34 D } $r2 = /[A-Za-z0-9]{56}\.onion/ $r3 = /README\..{3,10}/i $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/ $r5 = /[A-Za-z0-9]{56}\.onion/ $s6 = "Do not rename" nocase condition: uint16(0) == 0x5A4D and filesize < 5MB and 3 of them } rule INC_Lynx_Affiliate_ransomware_3 { meta: description = "Detects INC/Lynx Affiliate ransomware" author = "RansomwareMonitor" date = "2026-03-06" hash = "a583866baad060827a1f267c4c19323e4ee8ccc7509949351e00715984e503d1" strings: $r0 = /[A-Za-z0-9]{56}\.onion/ $h1 = { 56 0C 8D 02 B2 AF B3 02 34 69 66 05 13 C7 7E 23 77 C7 18 } $h2 = { 0B C6 09 12 9C 67 13 3A C1 81 60 96 4B 81 E7 59 BB 2 } $s3 = "ChaCha20" nocase $h4 = { 80 C2 45 80 1A A5 EE 25 BE 38 FC 10 0D 7E 1E } $h5 = { 29 06 AE 44 6C D1 87 76 29 C1 9B 3A 33 8C 21 4A C0 31 B } $h6 = { 59 0C 0F 3D 14 5A 7C 18 F2 52 FE C0 FC 64 96 99 23 4 } $h7 = { A1 63 EF 0F 61 E5 12 1B 0E 67 75 80 23 B9 4E 96 F1 38 CE 7C 2D 61 37 4 } condition: uint16(0) == 0x5A4D and filesize < 5MB and 2 of them }