Lynx

Lynx is a ransomware-as-a-service (RaaS) group first observed in mid-2024 that operates a double-extortion model, combining data exfiltration with file encryption and leak-site pressure. Reporting in the provided content describes Lynx as likely Russia-linked and notes it has advertised for affiliates on Russian-language underground forums while claiming to target the private sector. The group has also been described as avoiding government institutions, hospitals, and non-profits in its own leak-site messaging, although the content separately links Lynx to a 2026 healthcare-sector intrusion targeting a provider organization. The content links Lynx closely to the INC ransomware family. Multiple sources state that INC source code was sold in 2024 and that Lynx and Sinobi are believed to use related strains derived from INC malware. Additional reporting says Lynx shares 48% of its source code with INC, and blockchain/on-chain analysis identified links between INC and Lynx through similar laundering behavior. The content also states that Sinobi is suspected to be a rebrand or successor of Lynx, and separately notes claims that Lynx rebranded as Sinobi. Lynx has been associated with common ransomware intrusion patterns rather than novel tradecraft. The content places Lynx among ransomware families observed following an EDR-killer stage, specifically a sequence of HeartCrypt-packed dropper, EDR killer and malicious driver, then ransomware execution. In one Sophos-reported intrusion, infrastructure tied to QDoor activity was documented both in a BlackSuit case and in a Lynx ransomware attack. More broadly, the content describes Lynx as capable of stealing sensitive information, encrypting victim data, appending the .lynx extension, and deleting shadow copies or backups to hinder recovery. Victimology in the provided content spans multiple sectors and geographies. Lynx has targeted organizations in the US, UK, Australia, Japan, Thailand, and Romania, with sectors including retail, real estate, architecture, financial services, environmental services, communications, petrochemicals, and energy/oil and gas. Specific examples mentioned include Brown and Hurley in Australia, Regis Resources, St Joseph’s College Echuca, and a reported attack on multiple US facilities between July and November 2024. The content also notes that Lynx was among the most active groups claiming attacks on leak sites in 2025, was the second most active ransomware group affecting Japan in 2025 behind Qilin, and was one of the most active ransomware brands globally in 2025. Known aliases and related names directly mentioned in the content include Lynx and Sinobi. The content also repeatedly characterizes Sinobi as a rebrand or close relative of Lynx, and Lynx itself as having evolved from or heavily reused INC ransomware code.