Threat Group Profile
lynx
โ Active โ last 30 days
Victim claims
16
First seen
Mar 2026
Last activity
18 Jun 2026
Tracked since
โ
Group overview
Lynx is a ransomware-as-a-service operation that emerged in mid-2024 as a rebrand of INC Ransomware (whose source code was sold for $300,000 on the RAMP forum), claiming ~300 victims across manufacturing, business services, technology, and transportation with an 80/20 profit split for affiliates.
Preferred targets
Healthcare ยท 3
Construction ยท 2
Consumer Services ยท 2
Manufacturing ยท 2
Technology ยท 2
Business Services ยท 1
Most targeted countries
US ยท 8
GB ยท 3
TW ยท 1
ES ยท 1
DE ยท 1
IN ยท 1
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Phishing: Spearphishing Attachment
Execution
Command and Scripting Interpreter: PowerShell
Defense Evasion
Masquerading
Disable or Modify Tools
Credential Access
OS Credential Dumping: LSASS Memory
Discovery
Query Registry
System Information Discovery
Lateral Movement
Remote Services: Remote Desktop Protocol
Exfiltration
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Command and Control
Application Layer Protocol: Web Protocols