RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
INC / Lynx
Ransomware-as-a-Service  •  Double Extortion  •  INC Codebase Successor
High Threat Fully Operational RaaS Cluster Profile
INC First Observed
Aug 2023
Predecessor phase
Lynx First Observed
Jul 2024
Active RaaS phase
Total Victims (Lynx) LIVE
410+
As of May 2026
Countries Targeted LIVE
16+
60%+ US-based
Affiliate Split
80/20
Affiliate / core team
LE Disruptions
Zero
No takedowns or sanctions
01

Executive Summary and Group Overview

INC and Lynx represent two sequential phases of a single criminal cluster. INC ransomware emerged in August 2023 as a targeted, double-extortion operation. By early 2024, INC's source code was offered for sale on underground forums. Lynx appeared in July 2024 exhibiting substantial code overlap with INC and rapidly expanded into a structured Ransomware-as-a-Service (RaaS) program with a formal affiliate panel, tiered roles, and an 80/20 revenue split. By May 2026, Lynx had listed over 410 victims across 16+ countries, with the United States accounting for more than 60% of known targets.

The prevailing vendor assessment is that Lynx is a rebrand or successor of INC, grounded in documented code similarity, overlapping email infrastructure, and the timing of INC's source code sale. One credible vendor (Rapid7) adopts a more cautious stance, treating the overlap as consistent with source-code acquisition rather than proof of identical operator continuity. No CrowdStrike, Mandiant, or Secureworks formal designations have been published for either INC or Lynx as of May 2026. Microsoft tracks the Lynx operator group as Storm-2113; Trend Micro tracks it as Water Lalawag.

AttributeINC (Phase 1)Lynx (Phase 2)
Active periodAug 2023 to early 2024Jul 2024 to present
Operational modelTargeted operation; some RaaS elementsStructured RaaS with affiliate panel, tiered roles
Extortion modelDouble extortionDouble extortion
PlatformsWindows, ESXi/LinuxWindows, Linux x64, ARM, MIPS, ESXi
EncryptionAES + Curve25519 (shared with Lynx)AES-128 CTR + Curve25519 Donna
Microsoft trackingNot publishedStorm-2113
Trend Micro trackingNot publishedWater Lalawag
CrowdStrike trackingNot publishedNot published
Mandiant trackingNot publishedNot published
Secureworks trackingNot publishedNot published
Assessed jurisdictionRussian-speaking, likely CIS-based (CREDIBLE)
LE disruption statusNone confirmed as of May 2026
SanctionsNone; no OFAC designations
Decryptor availableNo public decryptor
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Core Assessment
Credible — high code overlap; operator continuity unconfirmed

The weight of vendor reporting treats Lynx as a successor to or rebrand of INC, grounded primarily in technical code overlap and the timing of INC's source-code sale. The principal unresolved question is whether the same operators migrated to Lynx or whether a separate crew purchased the codebase and established a new operation. BlackBerry's identification of a shared email address in both groups' DLS registration data is the strongest indicator of operator continuity beyond code reuse.

Evidentiary Pillars
Pillar 1 — Confirmed
Code Overlap (Windows Variant)
Palo Alto Unit 42 used BinDiff to compare INC and Lynx Windows samples: 48% overall function match, rising to 70.8% when limited to functions common to both families. Fortinet and Nextron corroborate similar encryption methods and behavioral traits. SK Shieldus found the same strings and encryption algorithms. Blackpoint Cyber (Feb 2026) confirms 40% overall code similarity and 70.8% in specific functions for Windows variants. [1][3][6][11]
Pillar 2 — Confirmed
Code Overlap (Linux/ESXi Variant)
Blackpoint Cyber (Feb 2026) reports the Lynx Linux/ESXi variant has 91% code similarity with INC Linux and 87% overall overlap. This is a substantially higher match than the Windows variant and is the strongest technical evidence of shared codebase. [11]
Pillar 3 — Credible
Shared Infrastructure Indicator
BlackBerry researchers identified that Lynx and INC used the same email address (gansbronz[at]gmail[.]com) in the registry information of their respective public data leak sites. This is a direct operational indicator of common administration and the strongest non-code link between the two. [12][11]
Pillar 4 — Credible
Timeline and Forum Evidence
INC source code was advertised for sale as early as March 2024 (Unit 42) and listed in May 2024 at $300,000 (ransomware.live; primarily single-source). Lynx samples appeared in July 2024, approximately two months after the sale. The temporal sequence is consistent with a code acquisition and operational build-out timeline. [1][2][14]
Vendor Assessment Comparison
VendorPositionConfidence
Palo Alto Networks Unit 42Lynx is "a rebranding of INC ransomware"; article title is the formal assessmentHigh (code analysis + timeline)
Fortinet FortiGuard LabsLynx is the "successor" to INC; same encryption methods and behavioral traitsHigh (code + behavior)
Ransomware.liveExplicitly tags Lynx as "a rebrand of INC Ransomware"Moderate (tracking site, not primary vendor)
Nextron Systems / MalpediaLynx "likely used INC source code"; close similarity acknowledgedHigh (malware analysis)
BlackBerryShared DLS admin email; code similarityHigh (specific IOC corroboration)
Blackpoint CyberLynx "functionally nearly identical to INC Ransom"; notes LockBit-influenced modificationsHigh (Feb 2026, most recent formal assessment)
Rapid7Strong overlaps but "not sufficient to fully prove Lynx was derived from INC's source"; treats as lineage-linked but distinctCautious (code overlap alone, no operator confirmation)
Group-IBDescribes Lynx as a distinct but structured RaaS; affiliate overlap with other ecosystems noted but unnamed groups not specifiedModerate (operational focus rather than attribution)
CrowdStrikeNo published designation or formal assessment for INC or Lynx as of May 2026Gap
Mandiant (Google)No published designation or formal assessment for INC or Lynx as of May 2026Gap
SecureworksNo published designation or formal assessment for INC or Lynx as of May 2026Gap
Overall lineage assessment: The INC-to-Lynx relationship is best characterized as a code-lineage cluster with probable operator overlap, not definitively confirmed as a full rebrand by the same core team. The shared DLS email address (BlackBerry) and the 91% Linux code similarity (Blackpoint) are the two most operationally significant data points. Absent confirmed operator identification, the designation "successor with probable continuity" is more defensible than "confirmed rebrand."
LockBit Connection
Credible — single-source; no corroboration from Mandiant, CrowdStrike, or Secureworks

Blackpoint Cyber (Feb 2026) notes that Lynx modifications to the INC codebase "were likely influenced by the LockBit operation," suggesting affiliates or developers with prior LockBit experience contributed to the build. This claim is single-source and has not been independently corroborated by a major TI vendor. It is included as a CREDIBLE but unconfirmed cluster extension. [11]

03

Operational Model

RaaS Structure

INC operated with some RaaS characteristics but is more accurately described as a targeted operation with limited affiliate involvement. Public reporting on INC's internal structure is thin compared to Lynx. Lynx is consistently described as a structured RaaS with a full affiliate panel, formal onboarding, and tiered internal roles. Group-IB gained access to the Lynx affiliate panel and documented five functional sections: News (updates), Chats (negotiation management), Companies (victim management interface), Stuffers (sub-affiliate management), and Leaks (publication scheduling). [5][11]

Recruitment is conducted via the RAMP forum, where a user identified as "silencer" posted advertisements targeting experienced penetration testing teams. The operation is described by Blackpoint Cyber as a "tight, closed model RaaS" with strict affiliate vetting, distinguishing it from open-recruitment operations. [11]

Revenue Model
Affiliate Share
80%
Of ransom payment to affiliate
Core Team Share
20%
Retained by operators
Call Center Service
Extra %
Optional; increases per-incident payout to operators

The 80/20 split is consistent across ransomware.live and Blackpoint reporting and is considered credible; it has not been independently confirmed by Unit 42, Fortinet, or Group-IB in detail. The call center service offering adds a negotiation facilitation tier not present in INC's documented model, indicating operational investment by the core team. [2][11]

Affiliate Infrastructure

Lynx provides affiliates with a complete binary bundle covering Windows, Linux x64, Linux ARM, MIPS, and ESXi variants, enabling targeting of heterogeneous enterprise environments from a single affiliate relationship. The affiliate panel also distributes infrastructure mirror URLs through the News section to maintain operational continuity if primary domains are disrupted. [5][11]

Extortion Model and Negotiation Behavior

Both INC and Lynx use double extortion: data is exfiltrated prior to encryption, creating two independent pressure vectors. Lynx's DLS operates on a clear-web blog (lynxblog.net) and multiple Tor mirrors, a dual-surface approach that maximizes victim reputational exposure. Data publication follows a countdown timer model with proof-of-breach excerpts released progressively. [1][3][4][5]

Negotiation-specific details are limited in public reporting. Secondary write-ups reference high-six to eight-figure initial demands scaled to victim size, with significant discount offers (50% or more) as publication deadlines approach, consistent with standard RaaS negotiation playbook. No systematic triple extortion (DDoS or direct customer harassment) has been documented for this group. [8][9]

Stated exclusion policy: Lynx publicly claims to avoid targeting government institutions, hospitals, and non-profit organizations. Rapid7 explicitly characterizes this as self-imposed risk management rather than ethics. The policy is analytically significant as an affiliate behavioral constraint, not as a reliable operational boundary. [4]
04

Technical Capabilities

Encryption Implementation
  • Algorithm: AES-128 in CTR mode for file content; Curve25519 Donna for asymmetric key encapsulation
  • File extension: .lynx appended to all encrypted files
  • Ransom note: README.txt dropped in each directory; Base64-encoded inside the binary before deployment
  • Wallpaper: Desktop wallpaper replaced to direct victims to the Tor negotiation portal
  • Printer delivery: Ransom note pushed to all identified networked printers via StartDocPrinterW() API; a distinguishing behavior not common to most RaaS families
  • Shadow copy deletion: VssAdmin used to delete Volume Shadow Copies; VM snapshots deleted on ESXi via vim-cmd
  • Crypto assessment: No known design flaw; no public free decryptor exists as of May 2026 [6][1][3]
Platform Support
PlatformINCLynxNotes
WindowsYesYesPrimary; most-documented variant
Linux x64YesYes91% code similarity between INC and Lynx Linux variants (Blackpoint, Feb 2026)
Linux ARMUnknownYesDocumented in Blackpoint Feb 2026 affiliate bundle listing
Linux MIPSUnknownYesDocumented in Blackpoint Feb 2026 affiliate bundle listing
ESXiYesYesESXi variant kills VMs, removes snapshots; significantly increases blast radius in virtualized environments

Note: Palo Alto Unit 42 (October 2024) stated no Linux samples had been confirmed for Lynx at that time. Blackpoint Cyber (February 2026) documents Linux and ESXi variants in the affiliate bundle. The Blackpoint assessment is more recent and is treated as the current ground truth.

Known Exploited Vulnerabilities
CVEDescriptionProductCVSSNotes
CVE-2019-6693Hardcoded cryptographic key vulnerabilityFortinet FortiOS7.5Older vulnerability; may reflect persistent exposure in unpatched environments
CVE-2024-0769Path traversal vulnerabilityD-Link DIR-859 Router9.8Critical; network device exploitation for initial access
CVE-2024-54085Authentication bypass vulnerabilityAMI MegaRAC SPx (BMC firmware)10.0Critical; targets out-of-band management infrastructure; high-impact for enterprise environments

Source: Blackpoint Cyber, February 2026 [11]. No additional CVE-specific exploits have been confirmed by Unit 42, Fortinet, or other primary vendors beyond generic RaaS access vectors (phishing, credential abuse, RDP exploitation).

Execution and Runtime Options

Lynx provides affiliates with granular runtime control via command-line arguments, a feature improvement over INC's more limited configuration set. Documented arguments include: --file (single file), --dir (specific directory), --encrypt-network (network shares), --load-drives (hidden drives), --stop-processes, --hide-cmd, --no-background, and --kill. Fortinet and Nextron note this configurable architecture makes Lynx more operationally attractive to affiliates than INC was. [3][6][11]

Tool Inventory
PhaseTools
Initial AccessPhishing (Microsoft OneNote weaponized attachments), compromised RDP/VPN credentials, CVE exploitation
PersistenceAnyDesk, ConnectWise ScreenConnect (RMM abuse), registry run keys, scheduled tasks
Lateral MovementImpacket, NetExec, RDP, SMB share mounts, WMI, net utility
DiscoverySoftPerfect Network Scanner, nmap, nbtstat, nslookup, ipconfig, systeminfo, Task Manager
Credential AccessMimikatz (LSASS memory dump)
ExfiltrationRestic backup tool (abused), temp.sh file hosting, Amazon S3 buckets
Defense EvasionWindows Restart Manager API (unlock files for encryption), UAC bypass via explorer.exe, XOR string obfuscation, firewall rule modification
Impact7-zip (data staging), VssAdmin (shadow copy deletion), ransomware binary with embedded ransom note
CIS / Russian-Language Kill Switch
Credible — consistent across Fortinet, Nextron; specific code excerpts not fully published

Fortinet and Nextron both identify that Lynx (and INC) include system language/locale checks consistent with CIS exclusion behavior, meaning infected systems in Russia and neighboring CIS countries may be bypassed during encryption. This is a standard behavioral indicator of Russian-speaking criminal operations avoiding domestic victims. Detailed code excerpts confirming the exact check logic have not been published by primary vendors. [3][6]

Decryptor Availability
No public decryptor exists for INC or Lynx ransomware as of May 2026. The No More Ransom Project does not list either strain among available tools. Encryption using AES-128 CTR and Curve25519 Donna is assessed as correctly implemented with no publicly disclosed cryptographic flaw. Recovery without operator cooperation or a comprehensive backup strategy is not feasible. [6][1][3]
05

Financial Infrastructure

Payment Model

Public reporting identifies Bitcoin as the primary ransom payment currency for both INC and Lynx, consistent with mainstream RaaS practice. Secondary sources reference possible Monero support in negotiation chats; this is not confirmed by primary TI vendors and is treated as possible but unverified. [5][8]

On-Chain Analysis
Key intelligence gap: TRM Labs, Chainalysis, and Elliptic have not published named cluster attribution or wallet analysis for INC or Lynx as of May 2026. No specific wallet cluster IDs, OFAC-sanctioned addresses, or confirmed laundering path documentation has been released by blockchain forensics firms under this group's name. On-chain visibility for this cluster remains limited to open-source intelligence.

General behavior inferred from Group-IB and Darktrace reporting is consistent with standard RaaS laundering patterns: Bitcoin payments collected into operator-controlled addresses, rapid layering through nested transfers and mixing services, and consolidation via high-volume exchanges or OTC brokers. This characterization is an ANALYST INFERENCE from behavioral reporting and has not been confirmed by named wallet cluster data. [5][9]

Sanctions Status

No OFAC designations have been linked to INC, Lynx, or any suspected operator of either group as of May 2026. Unlike Conti-lineage groups (e.g., Trickbot infrastructure, Conti leadership), INC/Lynx does not appear on published US Treasury sanctions lists. No EU, UK, or other allied jurisdiction sanctions have been reported. [3][5]

06

Victim Profile and Targeting

Victim Volume Over Time
1
INC Phase (Aug 2023 to mid-2024)
Targeted multiple organizations across 2023 to early 2024 in retail, real estate, architecture, financial services, and environmental services. Victim count is less standardized in public reporting than Lynx; the DLS was operational but less prominent.
2
Lynx Early Phase (Jul to Dec 2024)
First samples observed July 2024. By September 2024, over 20 confirmed victims reported. Rapid7 and Nextron track early-phase activity.
3
Lynx Growth Phase (Jan to Aug 2025)
Fortinet counted 96 victims on the DLS as of January 29, 2025. SOCRadar reported nearly 300 victims by August 2025. Victim posting pace is accelerating.
4
Lynx Current Phase (Sep 2025 to May 2026)
Ransomware.live reports 410+ total victims as of May 10, 2026, with victims posted across 16+ countries. The operation shows no deceleration.
Sector Targeting
SectorRelative ShareSource
Industrials / ManufacturingHighest (46 incidents in 2025 per Blackpoint)Fortinet, Darktrace, Blackpoint [3][9][11]
Construction and EngineeringSecond highest (29 incidents in 2025 per Blackpoint)Fortinet, Darktrace, Blackpoint [3][9][11]
Professional and Business ServicesSignificant (25 incidents in 2025 per Blackpoint)Blackpoint [11]
TechnologySignificantMultiple vendors [1][9]
Finance and InsuranceModerateDarktrace, Blackpoint [9][11]
TransportationModerate (17 incidents in 2025 per Blackpoint)Blackpoint [11]
Legal ServicesModerate (17 incidents in 2025 per Blackpoint)Blackpoint [11]
Real Estate, Architecture, EnvironmentalLower but consistentUnit 42 [1]
Government / Healthcare / Non-profitsClaimed avoidance (not confirmed)Stated policy; not operationally verified [4]
Geographic Distribution
  • United States: Over 60% of confirmed victims; dominant target country by a significant margin
  • United Kingdom and Canada: Approximately 8% each; second-tier target markets
  • Europe, Asia-Pacific, Australia, Germany: Additional confirmed victims; broader opportunistic spread
  • Russia and CIS: No confirmed victims; CIS locale check consistent with deliberate avoidance
Victim Size Profile

Lynx targets mid-market to enterprise organizations rather than very small businesses, consistent with Group-IB's characterization of affiliates pursuing "high-value corporate targets" and the observed seven-figure ransom demand range. MSPs have been identified as targets by Acronis TRU (August 2025), which describes MSPs as a priority target for both Akira and Lynx, suggesting deliberate supply-chain leverage through managed service access. [5][11][17]

07

Law Enforcement and Regulatory Response

Summary: As of May 2026, no arrests, indictments, infrastructure seizures, CISA or FBI advisories, or sanctions have been publicly linked to INC or Lynx. Both groups' infrastructure remains operational. Law enforcement focus has been concentrated on higher-profile groups (LockBit, Conti, ALPHV/BlackCat, RansomHub), leaving INC/Lynx largely uncontested.
Indictments and Arrests

No publicly known indictments or named individuals have been formally charged specifically for INC or Lynx operations. No US, UK, Europol, or other allied law enforcement agencies have announced actions targeting this group by name as of May 2026. [1][3][5]

Infrastructure Seizures

No coordinated infrastructure takedowns have been announced. The Lynx DLS (lynxblog.net and Tor mirrors) remains operational according to ransomware.live tracking as of May 2026. No seizure banners have been reported on any Lynx or INC infrastructure. [2][5]

Advisory Activity

No CISA, FBI, or allied government advisory has been issued specifically naming INC or Lynx as of May 2026. The absence of a dedicated advisory is consistent with the group's scale relative to headline operations: with 410 victims, Lynx has not yet reached the operational footprint that typically triggers a coordinated government advisory response (compare: LockBit advisory at 1,000+ victims; ALPHV advisory after healthcare-sector escalation). [1][3]

Sanctions

No OFAC sanctions are tied to INC, Lynx, or any suspected operator as of May 2026. No EU, UK OFSI, or other allied sanctions designations have been reported. Without identified operator names or sanctioned wallet addresses, organizations face no specific compliance obligation beyond general ransomware payment guidance. [3][5]

08

Attribution and State Nexus

Jurisdiction Assessment
Credible — converging indicators; no confirmed identity

Multiple independent indicators converge on a Russian-speaking criminal origin operating from CIS territory or similar safe havens:

  • CIS language/locale checks in the binary consistent with deliberate avoidance of domestic victims
  • Victim distribution heavily weighted toward the US, UK, Canada, and Western Europe; zero confirmed CIS victims
  • Affiliate recruitment and source code sale conducted via RAMP, a Russian-language cybercriminal forum
  • Underground chatter and operational communications consistent with Russian-speaking threat actors (inferred from Group-IB and Darktrace reporting)
Operator Tracking Designations
VendorDesignationScope
MicrosoftStorm-2113Lynx operator group (confirmed per Blackpoint Feb 2026)
Trend MicroWater LalawagLynx operator group (confirmed per Blackpoint Feb 2026)
CrowdStrikeNot publishedNo formal designation for INC or Lynx as of May 2026
Mandiant (Google)Not publishedNo formal designation for INC or Lynx as of May 2026
SecureworksNot publishedNo formal designation for INC or Lynx as of May 2026
Named Individuals

No individual operators, developers, or affiliate managers have been publicly identified by name for INC or Lynx. The RAMP forum recruiter "silencer" is the only pseudonymous actor identified in open-source reporting, and that is a posting alias only with no identity attribution attached. [11]

Russian Intelligence Service (RIS) Nexus
Analyst Inference — no published vendor assessment of state nexus

No major vendor attributes INC or Lynx to Russian state intelligence services or any other state actor. The group is uniformly characterized as financially motivated cybercriminal enterprise. There is no open-source evidence of direct state tasking, intelligence-sharing arrangements, or explicit safe-harbor agreements with FSB or SVR. The standard implicit tolerance extended to CIS-based criminal groups that avoid domestic victims applies here but does not constitute evidence of an active state relationship. The RIS nexus assessment is: Not established. Implicit tolerance only. [1][5][3]

09

Trajectory Assessment

Operational Tempo

Lynx's victim count growth is one of the more significant trajectories in the current ransomware landscape: from 20+ victims in September 2024, to 96 by January 2025, to nearly 300 by August 2025, to 410+ by May 2026. This represents a roughly 20x increase over approximately 10 months of Lynx operations. The growth curve suggests successful affiliate recruitment, operational scaling, and no meaningful law enforcement disruption. [2][3][4][11]

Capability Evolution

The INC-to-Lynx transition represents a deliberate capability improvement: more granular runtime control for affiliates, a broader multi-platform binary bundle (adding Linux ARM and MIPS), a structured affiliate panel, and a formalized negotiation infrastructure. Blackpoint Cyber's characterization of the Linux ESXi variant (91% code similarity, full VM kill and snapshot removal capability) indicates the group has invested in enterprise infrastructure targeting. [1][3][6][11]

The addition of a call center service for an extra fee is a notable differentiation from the INC model and from many peer RaaS operations, suggesting the core team is investing in operational support infrastructure to attract higher-quality affiliates. [11]

Rebranding Signals

No indicators of an imminent Lynx rebrand or operational wind-down have been identified as of May 2026. Victims continue to be posted on the DLS. The affiliate panel and infrastructure mirrors remain active. Underground chatter about payment disputes or affiliate grievances is mentioned in some reporting as low-confidence rumors but has not materialized into a public split or exit event. [2][5]

Connected Group Cluster
RelationshipAssessmentConfidence
INC (anchor)Codebase origin; probable operator overlap; confirmed shared DLS emailCONFIRMED (code) / CREDIBLE (operator continuity)
LockBit influenceLynx modifications to INC code assessed as LockBit-influenced; single-source Blackpoint claimCREDIBLE (single-source; no corroboration from CrowdStrike, Mandiant, or Secureworks)
Unnamed RaaS ecosystemsGroup-IB notes Lynx affiliates overlap with operators from other RaaS families; no specific groups namedCREDIBLE (non-specific; no group named)
Key Intelligence Gaps
  • No confirmed identification of core operators, developers, or RaaS administrators by real identity
  • No published blockchain cluster IDs or wallet attribution from TRM Labs, Chainalysis, or Elliptic
  • No confirmation of whether Lynx is operated by original INC personnel, a new crew that purchased the code, or a hybrid arrangement
  • No CrowdStrike, Mandiant, or Secureworks formal assessments; their silence on this group is itself analytically notable given its victim volume
  • No visibility into ransom payment totals or aggregate revenue for the cluster
  • Affiliate count and churn rate unknown
Overall Trajectory Indicator
Assessment: Expanding, uncontested operation. Lynx is on a sustained growth trajectory with no evidence of law enforcement disruption, no internal collapse signals, and an increasingly mature RaaS infrastructure. At current pace, Lynx is positioned to become one of the more prolific operations in the 2026 landscape. The primary disruption risk is a coordinated LE action analogous to Operation Cronos (LockBit), but no such operation has been signaled publicly. The MSP targeting posture identified by Acronis (August 2025) represents an escalating threat vector that could amplify impact across multiple downstream clients per compromise.

Recent Reporting LIVE

Open-source reporting on INC / Lynx from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.

Loading recent reporting…

Sources

Primary Vendor Research
[1]
Palo Alto Networks Unit 42 — "Lynx Ransomware: A Rebranding of INC Ransomware" (October 2024)
[2]
Ransomware.live — Lynx group page (accessed May 2026)
[3]
Fortinet FortiGuard Labs — "Ransomware Roundup: Lynx" (February 2025)
[6]
Nextron Systems — "In-Depth Analysis of Lynx Ransomware" (October 2024)
[7]
Malpedia (Fraunhofer FKIE) — Lynx (win.lynx) entry
[10]
SOCRadar — "Dark Web Profile: Lynx Ransomware" (August 2025, updated April 2026)
[11]
Blackpoint Cyber — "Lynx Ransomware Threat Profile" (February 2026)
[12]
BlackBerry Research and Intelligence Team — "Lynx on the Prowl: Targeting SMBs with Double-Extortion Tactics" (October 2024)
Supplementary Research
[13]
The DFIR Report — "Cat's Got Your Files: Lynx Ransomware" (November 2025)
[16]
Acronis Threat Research Unit — "MSPs a top target for Akira and Lynx Ransomware" (August 2025)
[17]
Broadcom Security Center — "Lynx Ransomware, established in 2024" (February 2025)