Lynx Ransomware Pouncing on Utilities

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team

Published December 10, 2024

Cyber Threat Intelligence thumbnail

Between 2022 and 2024, ransomware cyber threat actors (CTAs) ramped up their attacks against utilities due to the higher likelihood that they will pay ransoms. Due to the surge in activity driven by Lynx and the unique challenges the utilities sector face, including facilities running outdated software and hardware, impacted organizations in the utilities sector may face lengthy downtimes attempting to recover from ransomware attacks.

The Lynx ransomware group targeted multiple facilities across the United States, including multiple claimed victims associated with energy, oil, and gas between July 2024 and November 2024. Organizations operating in this sector should review their cybersecurity controls and confirm they are not using default passwords or running unsupported hardware and software, as easily exploited vulnerabilities present an opportunity for cybercriminals.

The Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team recommends utility entities implement a defense-in-depth cybersecurity framework like the CIS Critical Security Controls (CIS Controls) to strengthen their defense posture against the evolving ransomware threat environment.

Utilities Offer Appealing Ransomware Targets

Ransomware attacks in 2024 had an outsized impact on utility sector victims. Sophos, a cybersecurity company, notes this is due to increasingly complex and severe attacks along with a lack of incident response preparations. According to Sophos, more than half of energy, oil, and gas utilities that experienced a ransomware attack took more than a month to recover, which is up 19% from 2022 to 2024.[i] Industrial Control Systems (ICS), Operational Technology (OT), and Supervisory Control and Data Acquisition (SCADA) systems are complex and pose unique recovery challenges for ransomware attacks. These challenges have led some utility sector victims to pay the ransom to avoid major recovery times.[ii] Additionally, OT environments generally operate more outdated legacy hardware and software than in strictly IT environments, which further complicates the recovery process.[iii]

Lynx Ransomware: The Not So “Ethical” Group

The Lynx ransomware group advertises itself as an “ethical” hacking group and claims to avoid targets in the healthcare and governmental sectors. The group practices a double extortion technique by threatening to leak stolen data from victims if additional ransoms are not met to prevent public data being posted.[iv] If a compromised user elects to pay the initial ransom to decrypt their systems, they then face secondary threats from Lynx threat actors, who demand additional payments to prevent exfiltrated data from being publicly posted. This data can often include financial records, trade secrets, and company policies that could cause irreparable damage if leaked publicly.

Lynx Ransomware Public Blog Site: News

Lynx Ransomware Public Blog Site: News

Lynx Ransomware Public Blog Site: Report

Lynx Ransomware Public Blog Site: Leaks

Lynx Ransomware Public Blog Site: Leaks

Tactics, Techniques, and Procedures

According to Sophos’ 2024 report, ransomware threat actors exploited known vulnerabilities as the most common method to infiltrate utility (energy, oil, and gas) organizations.[v] The second most common means by which threat actors accessed utilities was compromised credentials.[vi] At the time of publication, Lynx actors are using phishing tactics to initially compromise victim credentials, which is a known tactic that other threat actors use for initial compromise. Utilities may be able to leverage similar prevention and detection mechanisms used in other industries.

Throughout their attack chain, Lynx CTAs have taken the following actions:

Process and Service Management — Lynx actors will periodically terminate system processes like anti-virus software to evade defenses. They also target backup-related processes set by admins to automate storage backups, as these processes are likely to interfere with their encryption process.
Shadow Copy Deletion — Sophisticated ransomware groups have practiced this method by targeting shadow copies of backups to make recovery more difficult.
File Encryption — Since Lynx threat actors practice double extortion techniques, they will target not only local files but also network shares and hidden drives containing more sensitive data.

Once Lynx threat actors compromise a victim and encrypt their systems, a readme.txt ransom note will display on the victim’s desktop. It generally contains a link to the Lynx .onion site along with the ID needed to access their domain to pay the ransom. To increase pressure on victims to pay the ransom, Lynx operators also host a public blog and leak site where they publicly shame claimed victims. [vii]

Conclusion

Opportunistic CTAs will likely continue to take advantage of ICS/OT organizations that have yet to remediate outdated systems and that lack efficient recovery plans. CTAs that attack opportunistically are often looking for easy targets, and the utilities sector has become an appealing target due to the lack of security controls. Utilities will continue to face an uphill battle after ransomware attacks due to the recovery process causing lengthy downtime. They will also likely see increased likelihood to pay ransoms, which stems from the risk of having inadequate recovery security measures in place prior to attacks. Until the ICS/OT environments prioritize cyber controls by building more secure and resilient systems, they will remain a constant target. Utilities can address these risks by implementing industry standard cybersecurity controls, such as those provided by CIS.

Indicators of Compromise

Associated URLs

http[:]//lynxblog[.]net/
http[:]//lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login
http[:]//lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd[.]onion/
http[:]//lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd[.]onion/
http[:]//lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad[.]onion/
http[:]//lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad[.]onion/
http[:]//lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad[.]onion/
http[:]//lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd[.]onion/
http[:]//lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid[.]onion/
http[:]//lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd[.]onion/login
http[:]//lynxchatde4spv5x6xlwxf47jdo7wtwwgikdoeroxamphu3e7xx5doqd[.]onion/login
http[:]//lynxchatdy3tgcuijsqofhssopcepirjfq2f4pvb5qd4un4dhqyxswqd[.]onion/login
http[:]//lynxchatdykpoelffqlvcbtry6o7gxk3rs2aiagh7ddz5yfttd6quxqd[.]onion/login
http[:]//lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad[.]onion/login
http[:]//lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad[.]onion/login
http[:]//lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad[.]onion/login
http[:]//lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures

Hashes[viii]

SHA-256:

09c5ff735d3d7b8c47b4df7de35e1c72b530b2c2566628bc29aaa54feb4d89f4
571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b
b378b7ef0f906358eec595777a50f9bb5cc7bb6635e0f031d65b818a26bdc4ee
eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc
ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49
85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683

Recommendations

The Lynx ransomware group makes their initial compromise mainly through phishing and exploitation of unpatched systems. The CIS CTI team recommends taking the security steps below to defend against these attack methods:

Leverage the CIS-CAT^® Pro tool to automate CIS Benchmarks™ assessments and conformance reporting, thereby assisting your organization to ensure its IT systems, software, networks, and cloud infrastructure are securely configured.[ix]
Consider signing up for CIS SecureSuite^® benefits, which provides access to CIS-CAT Pro along with other scalable, customizable tools and resources designed to help your organization save time and money implementing the CIS Benchmarks and CIS Controls in support of its security needs.[x]
Implement CIS Critical Security Control 7: Continuous Vulnerability Management[xi] to limit your susceptibility to easily exploited vulnerabilities.
Implement CIS Critical Security Control 9: Email and Web Browser Protections.[xii]
Review the CIS Critical Security Controls v8.1 Industrial Control Systems (ICS) Guide[xiii],[xiv] if you own or manage ICS. The Guide explains how you can apply the CIS Controls, a prioritized set of actions that are proven to mitigate the most common types of cyber threats, to safeguard ICS and OT environments.
Review CISA’s #StopRansomware Guide for ransomware prevention best practices and insight into how to create a response checklist to assist in defending your organizations from ransomware attacks.[xv]
Subscribe to CIS ThreatWA to obtain a consistent source of insight and analysis into emerging threats, including pre-released products like this blog and additional exclusive content.[xvi]