Executive Summary and Group Overview
INC and Lynx represent two sequential phases of a single criminal cluster. INC ransomware emerged in August 2023 as a targeted, double-extortion operation. By early 2024, INC's source code was offered for sale on underground forums. Lynx appeared in July 2024 exhibiting substantial code overlap with INC and rapidly expanded into a structured Ransomware-as-a-Service (RaaS) program with a formal affiliate panel, tiered roles, and an 80/20 revenue split. By May 2026, Lynx had listed over 410 victims across 16+ countries, with the United States accounting for more than 60% of known targets.
The prevailing vendor assessment is that Lynx is a rebrand or successor of INC, grounded in documented code similarity, overlapping email infrastructure, and the timing of INC's source code sale. One credible vendor (Rapid7) adopts a more cautious stance, treating the overlap as consistent with source-code acquisition rather than proof of identical operator continuity. No CrowdStrike, Mandiant, or Secureworks formal designations have been published for either INC or Lynx as of May 2026. Microsoft tracks the Lynx operator group as Storm-2113; Trend Micro tracks it as Water Lalawag.
| Attribute | INC (Phase 1) | Lynx (Phase 2) |
|---|---|---|
| Active period | Aug 2023 to early 2024 | Jul 2024 to present |
| Operational model | Targeted operation; some RaaS elements | Structured RaaS with affiliate panel, tiered roles |
| Extortion model | Double extortion | Double extortion |
| Platforms | Windows, ESXi/Linux | Windows, Linux x64, ARM, MIPS, ESXi |
| Encryption | AES + Curve25519 (shared with Lynx) | AES-128 CTR + Curve25519 Donna |
| Microsoft tracking | Not published | Storm-2113 |
| Trend Micro tracking | Not published | Water Lalawag |
| CrowdStrike tracking | Not published | Not published |
| Mandiant tracking | Not published | Not published |
| Secureworks tracking | Not published | Not published |
| Assessed jurisdiction | Russian-speaking, likely CIS-based (CREDIBLE) | |
| LE disruption status | None confirmed as of May 2026 | |
| Sanctions | None; no OFAC designations | |
| Decryptor available | No public decryptor | |
Lineage and Organizational Heritage
The weight of vendor reporting treats Lynx as a successor to or rebrand of INC, grounded primarily in technical code overlap and the timing of INC's source-code sale. The principal unresolved question is whether the same operators migrated to Lynx or whether a separate crew purchased the codebase and established a new operation. BlackBerry's identification of a shared email address in both groups' DLS registration data is the strongest indicator of operator continuity beyond code reuse.
| Vendor | Position | Confidence |
|---|---|---|
| Palo Alto Networks Unit 42 | Lynx is "a rebranding of INC ransomware"; article title is the formal assessment | High (code analysis + timeline) |
| Fortinet FortiGuard Labs | Lynx is the "successor" to INC; same encryption methods and behavioral traits | High (code + behavior) |
| Ransomware.live | Explicitly tags Lynx as "a rebrand of INC Ransomware" | Moderate (tracking site, not primary vendor) |
| Nextron Systems / Malpedia | Lynx "likely used INC source code"; close similarity acknowledged | High (malware analysis) |
| BlackBerry | Shared DLS admin email; code similarity | High (specific IOC corroboration) |
| Blackpoint Cyber | Lynx "functionally nearly identical to INC Ransom"; notes LockBit-influenced modifications | High (Feb 2026, most recent formal assessment) |
| Rapid7 | Strong overlaps but "not sufficient to fully prove Lynx was derived from INC's source"; treats as lineage-linked but distinct | Cautious (code overlap alone, no operator confirmation) |
| Group-IB | Describes Lynx as a distinct but structured RaaS; affiliate overlap with other ecosystems noted but unnamed groups not specified | Moderate (operational focus rather than attribution) |
| CrowdStrike | No published designation or formal assessment for INC or Lynx as of May 2026 | Gap |
| Mandiant (Google) | No published designation or formal assessment for INC or Lynx as of May 2026 | Gap |
| Secureworks | No published designation or formal assessment for INC or Lynx as of May 2026 | Gap |
Blackpoint Cyber (Feb 2026) notes that Lynx modifications to the INC codebase "were likely influenced by the LockBit operation," suggesting affiliates or developers with prior LockBit experience contributed to the build. This claim is single-source and has not been independently corroborated by a major TI vendor. It is included as a CREDIBLE but unconfirmed cluster extension. [11]
Operational Model
INC operated with some RaaS characteristics but is more accurately described as a targeted operation with limited affiliate involvement. Public reporting on INC's internal structure is thin compared to Lynx. Lynx is consistently described as a structured RaaS with a full affiliate panel, formal onboarding, and tiered internal roles. Group-IB gained access to the Lynx affiliate panel and documented five functional sections: News (updates), Chats (negotiation management), Companies (victim management interface), Stuffers (sub-affiliate management), and Leaks (publication scheduling). [5][11]
Recruitment is conducted via the RAMP forum, where a user identified as "silencer" posted advertisements targeting experienced penetration testing teams. The operation is described by Blackpoint Cyber as a "tight, closed model RaaS" with strict affiliate vetting, distinguishing it from open-recruitment operations. [11]
The 80/20 split is consistent across ransomware.live and Blackpoint reporting and is considered credible; it has not been independently confirmed by Unit 42, Fortinet, or Group-IB in detail. The call center service offering adds a negotiation facilitation tier not present in INC's documented model, indicating operational investment by the core team. [2][11]
Lynx provides affiliates with a complete binary bundle covering Windows, Linux x64, Linux ARM, MIPS, and ESXi variants, enabling targeting of heterogeneous enterprise environments from a single affiliate relationship. The affiliate panel also distributes infrastructure mirror URLs through the News section to maintain operational continuity if primary domains are disrupted. [5][11]
Both INC and Lynx use double extortion: data is exfiltrated prior to encryption, creating two independent pressure vectors. Lynx's DLS operates on a clear-web blog (lynxblog.net) and multiple Tor mirrors, a dual-surface approach that maximizes victim reputational exposure. Data publication follows a countdown timer model with proof-of-breach excerpts released progressively. [1][3][4][5]
Negotiation-specific details are limited in public reporting. Secondary write-ups reference high-six to eight-figure initial demands scaled to victim size, with significant discount offers (50% or more) as publication deadlines approach, consistent with standard RaaS negotiation playbook. No systematic triple extortion (DDoS or direct customer harassment) has been documented for this group. [8][9]
Technical Capabilities
- Algorithm: AES-128 in CTR mode for file content; Curve25519 Donna for asymmetric key encapsulation
- File extension: .lynx appended to all encrypted files
- Ransom note: README.txt dropped in each directory; Base64-encoded inside the binary before deployment
- Wallpaper: Desktop wallpaper replaced to direct victims to the Tor negotiation portal
- Printer delivery: Ransom note pushed to all identified networked printers via StartDocPrinterW() API; a distinguishing behavior not common to most RaaS families
- Shadow copy deletion: VssAdmin used to delete Volume Shadow Copies; VM snapshots deleted on ESXi via vim-cmd
- Crypto assessment: No known design flaw; no public free decryptor exists as of May 2026 [6][1][3]
| Platform | INC | Lynx | Notes |
|---|---|---|---|
| Windows | Yes | Yes | Primary; most-documented variant |
| Linux x64 | Yes | Yes | 91% code similarity between INC and Lynx Linux variants (Blackpoint, Feb 2026) |
| Linux ARM | Unknown | Yes | Documented in Blackpoint Feb 2026 affiliate bundle listing |
| Linux MIPS | Unknown | Yes | Documented in Blackpoint Feb 2026 affiliate bundle listing |
| ESXi | Yes | Yes | ESXi variant kills VMs, removes snapshots; significantly increases blast radius in virtualized environments |
Note: Palo Alto Unit 42 (October 2024) stated no Linux samples had been confirmed for Lynx at that time. Blackpoint Cyber (February 2026) documents Linux and ESXi variants in the affiliate bundle. The Blackpoint assessment is more recent and is treated as the current ground truth.
| CVE | Description | Product | CVSS | Notes |
|---|---|---|---|---|
| CVE-2019-6693 | Hardcoded cryptographic key vulnerability | Fortinet FortiOS | 7.5 | Older vulnerability; may reflect persistent exposure in unpatched environments |
| CVE-2024-0769 | Path traversal vulnerability | D-Link DIR-859 Router | 9.8 | Critical; network device exploitation for initial access |
| CVE-2024-54085 | Authentication bypass vulnerability | AMI MegaRAC SPx (BMC firmware) | 10.0 | Critical; targets out-of-band management infrastructure; high-impact for enterprise environments |
Source: Blackpoint Cyber, February 2026 [11]. No additional CVE-specific exploits have been confirmed by Unit 42, Fortinet, or other primary vendors beyond generic RaaS access vectors (phishing, credential abuse, RDP exploitation).
Lynx provides affiliates with granular runtime control via command-line arguments, a feature improvement over INC's more limited configuration set. Documented arguments include: --file (single file), --dir (specific directory), --encrypt-network (network shares), --load-drives (hidden drives), --stop-processes, --hide-cmd, --no-background, and --kill. Fortinet and Nextron note this configurable architecture makes Lynx more operationally attractive to affiliates than INC was. [3][6][11]
| Phase | Tools |
|---|---|
| Initial Access | Phishing (Microsoft OneNote weaponized attachments), compromised RDP/VPN credentials, CVE exploitation |
| Persistence | AnyDesk, ConnectWise ScreenConnect (RMM abuse), registry run keys, scheduled tasks |
| Lateral Movement | Impacket, NetExec, RDP, SMB share mounts, WMI, net utility |
| Discovery | SoftPerfect Network Scanner, nmap, nbtstat, nslookup, ipconfig, systeminfo, Task Manager |
| Credential Access | Mimikatz (LSASS memory dump) |
| Exfiltration | Restic backup tool (abused), temp.sh file hosting, Amazon S3 buckets |
| Defense Evasion | Windows Restart Manager API (unlock files for encryption), UAC bypass via explorer.exe, XOR string obfuscation, firewall rule modification |
| Impact | 7-zip (data staging), VssAdmin (shadow copy deletion), ransomware binary with embedded ransom note |
Fortinet and Nextron both identify that Lynx (and INC) include system language/locale checks consistent with CIS exclusion behavior, meaning infected systems in Russia and neighboring CIS countries may be bypassed during encryption. This is a standard behavioral indicator of Russian-speaking criminal operations avoiding domestic victims. Detailed code excerpts confirming the exact check logic have not been published by primary vendors. [3][6]
Financial Infrastructure
Public reporting identifies Bitcoin as the primary ransom payment currency for both INC and Lynx, consistent with mainstream RaaS practice. Secondary sources reference possible Monero support in negotiation chats; this is not confirmed by primary TI vendors and is treated as possible but unverified. [5][8]
General behavior inferred from Group-IB and Darktrace reporting is consistent with standard RaaS laundering patterns: Bitcoin payments collected into operator-controlled addresses, rapid layering through nested transfers and mixing services, and consolidation via high-volume exchanges or OTC brokers. This characterization is an ANALYST INFERENCE from behavioral reporting and has not been confirmed by named wallet cluster data. [5][9]
No OFAC designations have been linked to INC, Lynx, or any suspected operator of either group as of May 2026. Unlike Conti-lineage groups (e.g., Trickbot infrastructure, Conti leadership), INC/Lynx does not appear on published US Treasury sanctions lists. No EU, UK, or other allied jurisdiction sanctions have been reported. [3][5]
Victim Profile and Targeting
| Sector | Relative Share | Source |
|---|---|---|
| Industrials / Manufacturing | Highest (46 incidents in 2025 per Blackpoint) | Fortinet, Darktrace, Blackpoint [3][9][11] |
| Construction and Engineering | Second highest (29 incidents in 2025 per Blackpoint) | Fortinet, Darktrace, Blackpoint [3][9][11] |
| Professional and Business Services | Significant (25 incidents in 2025 per Blackpoint) | Blackpoint [11] |
| Technology | Significant | Multiple vendors [1][9] |
| Finance and Insurance | Moderate | Darktrace, Blackpoint [9][11] |
| Transportation | Moderate (17 incidents in 2025 per Blackpoint) | Blackpoint [11] |
| Legal Services | Moderate (17 incidents in 2025 per Blackpoint) | Blackpoint [11] |
| Real Estate, Architecture, Environmental | Lower but consistent | Unit 42 [1] |
| Government / Healthcare / Non-profits | Claimed avoidance (not confirmed) | Stated policy; not operationally verified [4] |
- United States: Over 60% of confirmed victims; dominant target country by a significant margin
- United Kingdom and Canada: Approximately 8% each; second-tier target markets
- Europe, Asia-Pacific, Australia, Germany: Additional confirmed victims; broader opportunistic spread
- Russia and CIS: No confirmed victims; CIS locale check consistent with deliberate avoidance
Lynx targets mid-market to enterprise organizations rather than very small businesses, consistent with Group-IB's characterization of affiliates pursuing "high-value corporate targets" and the observed seven-figure ransom demand range. MSPs have been identified as targets by Acronis TRU (August 2025), which describes MSPs as a priority target for both Akira and Lynx, suggesting deliberate supply-chain leverage through managed service access. [5][11][17]
Law Enforcement and Regulatory Response
No publicly known indictments or named individuals have been formally charged specifically for INC or Lynx operations. No US, UK, Europol, or other allied law enforcement agencies have announced actions targeting this group by name as of May 2026. [1][3][5]
No coordinated infrastructure takedowns have been announced. The Lynx DLS (lynxblog.net and Tor mirrors) remains operational according to ransomware.live tracking as of May 2026. No seizure banners have been reported on any Lynx or INC infrastructure. [2][5]
No CISA, FBI, or allied government advisory has been issued specifically naming INC or Lynx as of May 2026. The absence of a dedicated advisory is consistent with the group's scale relative to headline operations: with 410 victims, Lynx has not yet reached the operational footprint that typically triggers a coordinated government advisory response (compare: LockBit advisory at 1,000+ victims; ALPHV advisory after healthcare-sector escalation). [1][3]
No OFAC sanctions are tied to INC, Lynx, or any suspected operator as of May 2026. No EU, UK OFSI, or other allied sanctions designations have been reported. Without identified operator names or sanctioned wallet addresses, organizations face no specific compliance obligation beyond general ransomware payment guidance. [3][5]
Attribution and State Nexus
Multiple independent indicators converge on a Russian-speaking criminal origin operating from CIS territory or similar safe havens:
- CIS language/locale checks in the binary consistent with deliberate avoidance of domestic victims
- Victim distribution heavily weighted toward the US, UK, Canada, and Western Europe; zero confirmed CIS victims
- Affiliate recruitment and source code sale conducted via RAMP, a Russian-language cybercriminal forum
- Underground chatter and operational communications consistent with Russian-speaking threat actors (inferred from Group-IB and Darktrace reporting)
| Vendor | Designation | Scope |
|---|---|---|
| Microsoft | Storm-2113 | Lynx operator group (confirmed per Blackpoint Feb 2026) |
| Trend Micro | Water Lalawag | Lynx operator group (confirmed per Blackpoint Feb 2026) |
| CrowdStrike | Not published | No formal designation for INC or Lynx as of May 2026 |
| Mandiant (Google) | Not published | No formal designation for INC or Lynx as of May 2026 |
| Secureworks | Not published | No formal designation for INC or Lynx as of May 2026 |
No individual operators, developers, or affiliate managers have been publicly identified by name for INC or Lynx. The RAMP forum recruiter "silencer" is the only pseudonymous actor identified in open-source reporting, and that is a posting alias only with no identity attribution attached. [11]
No major vendor attributes INC or Lynx to Russian state intelligence services or any other state actor. The group is uniformly characterized as financially motivated cybercriminal enterprise. There is no open-source evidence of direct state tasking, intelligence-sharing arrangements, or explicit safe-harbor agreements with FSB or SVR. The standard implicit tolerance extended to CIS-based criminal groups that avoid domestic victims applies here but does not constitute evidence of an active state relationship. The RIS nexus assessment is: Not established. Implicit tolerance only. [1][5][3]
Trajectory Assessment
Lynx's victim count growth is one of the more significant trajectories in the current ransomware landscape: from 20+ victims in September 2024, to 96 by January 2025, to nearly 300 by August 2025, to 410+ by May 2026. This represents a roughly 20x increase over approximately 10 months of Lynx operations. The growth curve suggests successful affiliate recruitment, operational scaling, and no meaningful law enforcement disruption. [2][3][4][11]
The INC-to-Lynx transition represents a deliberate capability improvement: more granular runtime control for affiliates, a broader multi-platform binary bundle (adding Linux ARM and MIPS), a structured affiliate panel, and a formalized negotiation infrastructure. Blackpoint Cyber's characterization of the Linux ESXi variant (91% code similarity, full VM kill and snapshot removal capability) indicates the group has invested in enterprise infrastructure targeting. [1][3][6][11]
The addition of a call center service for an extra fee is a notable differentiation from the INC model and from many peer RaaS operations, suggesting the core team is investing in operational support infrastructure to attract higher-quality affiliates. [11]
No indicators of an imminent Lynx rebrand or operational wind-down have been identified as of May 2026. Victims continue to be posted on the DLS. The affiliate panel and infrastructure mirrors remain active. Underground chatter about payment disputes or affiliate grievances is mentioned in some reporting as low-confidence rumors but has not materialized into a public split or exit event. [2][5]
| Relationship | Assessment | Confidence |
|---|---|---|
| INC (anchor) | Codebase origin; probable operator overlap; confirmed shared DLS email | CONFIRMED (code) / CREDIBLE (operator continuity) |
| LockBit influence | Lynx modifications to INC code assessed as LockBit-influenced; single-source Blackpoint claim | CREDIBLE (single-source; no corroboration from CrowdStrike, Mandiant, or Secureworks) |
| Unnamed RaaS ecosystems | Group-IB notes Lynx affiliates overlap with operators from other RaaS families; no specific groups named | CREDIBLE (non-specific; no group named) |
- No confirmed identification of core operators, developers, or RaaS administrators by real identity
- No published blockchain cluster IDs or wallet attribution from TRM Labs, Chainalysis, or Elliptic
- No confirmation of whether Lynx is operated by original INC personnel, a new crew that purchased the code, or a hybrid arrangement
- No CrowdStrike, Mandiant, or Secureworks formal assessments; their silence on this group is itself analytically notable given its victim volume
- No visibility into ransom payment totals or aggregate revenue for the cluster
- Affiliate count and churn rate unknown
Recent Reporting LIVE
Open-source reporting on INC / Lynx from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.