SC Media reports that the newly emergent Lynx ransomware-as-a-service operation, which has already compromised more than 20 organizations since July, is associated with INC Ransom. After an initial analysis from Rapid7 suggesting the connection, it was confirmed by both Palo Alto Networks' Unit 42 and Nextron Systems.
Both Lynx and INC Ransom were discovered by Rapid7 and Unit 42 to have an overall similarity rate of 48% and a functional similarity rate of 70.8%. Unit 42 researchers noted the figures to be adequate to suggest Lynx's significant repurposing of the INC codebase.
Further analysis by Nextron Systems revealed Lynx ransomware not only enabled the termination of processes with 'sql,' 'veeam,' 'backup,' and others, but also facilitated shadow copy removal and privilege escalation.
Despite their similarities, only Lynx ransomware allowed ransom note printing on printers linked to breached systems, the Nextron Systems study showed.