INC/Lynx Affiliate Active

Affiliates using INC Ransom/Lynx interchangeably.
PDF Report Back to Groups
0
Total Victims
2024-07-01
First Seen
N/A
Last Seen
0
Known TTPs
11.3d
Avg Delay
0
Negotiations
ONION URLS
aqbdt5dc7iibt4bkhqtc63utgc2mxgv5jptfhm27yd7dhxa6u3atm6on.onion
TOOLS
Atera Rubeus
FILE EXTENSIONS
.pay
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

INC/Lynx_Affiliate_rule_1 RansomwareMonitor 
rule INC_Lynx_Affiliate_ransomware_1 {
    meta:
        description = "Detects INC/Lynx Affiliate ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "95e3f9e2e9229e0bf56d87c92187d7c2efa3227cd5315247b91802eaee735c58"

    strings:
        $s0 = "TOX:" nocase
        $s1 = "DECRYPT" nocase
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $s4 = "ChaCha20" nocase
        $s5 = "TOX:" nocase
        $s6 = "ENCRYPTED" nocase
        $s7 = ".onion" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}
INC/Lynx_Affiliate_rule_2 RansomwareMonitor 
rule INC_Lynx_Affiliate_ransomware_2 {
    meta:
        description = "Detects INC/Lynx Affiliate ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "df1e112f98cb8dcb68a90f3093324a723ba3e7eb4d5650fb8a517a93651c1f3c"

    strings:
        $s0 = "::::" nocase
        $h1 = { 1D 79 C5 ED D4 78 F9 12 15 7D EA 7E 8E 34 D }
        $r2 = /[A-Za-z0-9]{56}\.onion/
        $r3 = /README\..{3,10}/i
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r5 = /[A-Za-z0-9]{56}\.onion/
        $s6 = "Do not rename" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}
INC/Lynx_Affiliate_rule_3 Elastic Security 
rule INC_Lynx_Affiliate_ransomware_3 {
    meta:
        description = "Detects INC/Lynx Affiliate ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "a583866baad060827a1f267c4c19323e4ee8ccc7509949351e00715984e503d1"

    strings:
        $r0 = /[A-Za-z0-9]{56}\.onion/
        $h1 = { 56 0C 8D 02 B2 AF B3 02 34 69 66 05 13 C7 7E 23 77 C7 18 }
        $h2 = { 0B C6 09 12 9C 67 13 3A C1 81 60 96 4B 81 E7 59 BB 2 }
        $s3 = "ChaCha20" nocase
        $h4 = { 80 C2 45 80 1A A5 EE 25 BE 38 FC 10 0D 7E 1E }
        $h5 = { 29 06 AE 44 6C D1 87 76 29 C1 9B 3A 33 8C 21 4A C0 31 B }
        $h6 = { 59 0C 0F 3D 14 5A 7C 18 F2 52 FE C0 FC 64 96 99 23 4 }
        $h7 = { A1 63 EF 0F 61 E5 12 1B 0E 67 75 80 23 B9 4E 96 F1 38 CE 7C 2D 61 37 4 }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

No IoCs

No ransom notes