Ethical Hacking News
Ransomware Evolution: The INC Lynx Saga
The emergence of a new variant of the infamous INC ransomware group has left cybersecurity researchers questioning its true intentions and motivations. This article delves into the details of the INC Lynx saga, exploring the reasons behind the rebranding and the implications for the cybersecurity landscape.
The INC ransomware group rebranded itself as Lynx, raising eyebrows among security researchers. Lynx is an incarnation of INC, with its codebase being repurposed and reused to create a new variant. There is a significant overlap of 70.8% in shared functions between INC and Lynx ransomware groups' codebases. The developers of Lynx ransomware have likely borrowed and repurposed INC's codebase, a common practice among cybercriminals. INC's source code was made available on cybercrime forums, potentially allowing for new iterations of the group to emerge. Lynx claims not to target vital sectors like hospitals or governments, a stark contrast with INC's past behavior. The implications of the INC Lynx saga highlight the importance of cybersecurity awareness and vigilance in the face of evolving threats.
In the realm of cybersecurity, ransomware has long been a thorn in the side of organizations and individuals alike. This type of malicious software has evolved significantly over the years, with new variants emerging regularly. One notable example is the recent rebranding of the INC ransomware group to Lynx, a move that has raised eyebrows among security researchers. In this article, we will delve into the details of the INC Lynx saga, exploring the reasons behind the rebranding and the implications for the cybersecurity landscape.
The story begins with the emergence of INC, a ransomware group that gained notoriety in October 2023 with high-profile attacks on the UK's Leicester City Council and NHS Scotland. While INC was never a market leader in terms of ransomware attacks, its recent exploits garnered significant attention due to their brazen nature. However, just over a year later, in July 2024, Lynx began to make waves in the cybersecurity community.
According to researchers at Palo Alto's Unit 42, Lynx is essentially an reincarnation of INC, with the latter's codebase being repurposed and reused to create the new variant. This conclusion was reached after conducting a thorough analysis of both ransomware groups' codebases using BinDiff, which revealed a staggering 70.8 percent match in shared functions between INC and Lynx.
This significant overlap in shared functions strongly suggests that the developers of Lynx ransomware have borrowed and repurposed a considerable portion of the INC codebase to create their own malicious software. This is not an isolated incident; reusing code between different ransomware families is a common practice among cybercriminals. By leveraging preexisting code and building upon the foundations laid by other successful ransomware, threat actors can save time and resources in the development of their own attacks.
The researchers at Unit 42 also observed that INC's source code was made available on cybercrime forums from March this year, so it is theoretically possible that new iterations of the INC group could emerge. However, the similarities between Lynx and INC's leak sites suggest that there may be a single entity behind both operations. Both websites have clear web presences, with TOR and regular leak sites, and display noticeable similarities in terms of layout and design.
Furthermore, the statement posted on Lynx's blog claims that it refuses to target vital sectors such as hospitals, governments, or non-profit organizations "as these sectors play a vital role in society." This stance is starkly contrasted with INC's past behavior, which included high-profile attacks on healthcare institutions. While it remains unclear whether this is an attempt by the Lynx group to rebrand itself as more benevolent, the similarities between their leak sites and the tone of their statement suggest that there may be more to this story than meets the eye.
The implications of the INC Lynx saga extend beyond the realm of individual organizations. The reuse of code between ransomware groups highlights the importance of cybersecurity awareness and the need for organizations to stay vigilant in the face of evolving threats. As ransomware continues to plague the world of cybersecurity, it is essential that we remain attuned to the tactics, techniques, and procedures (TTPs) employed by these malicious actors.
In conclusion, the rebranding of INC ransomware as Lynx marks a new chapter in the evolution of this type of malicious software. While the exact motivations behind this move remain unclear, it is evident that the reuse of code between different ransomware groups will continue to be a threat in the cybersecurity landscape.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/11/inc_ransomware_lynx/
Published: Fri Oct 11 18:16:04 2024 by llama3.2 3B Q4_K_M
