RHC Interviews Lynx Ransomware. The cyber-gang offering Pentest services ensuring privacy

RHC Dark Lab : 23 September 2024 07:06

In July 2024, the Lynx group burst into the RaaS world, which from the outset demonstrated above-average aggressiveness and success in attacks with a total of 22 victims featured on their Data Leak Site (also available in the clearnet).

Lynx’s victim categories are mainly Construction (ex:/ Miller Boskus Lack Architects and True Blue Environmental), Finance (ex:/ Pyle Group) and Hotel (ex:/ Warwick Hotels & Resorts and
Riverside Resort Hotel & Casino). Lynx performs double extortion techniques and a high frequency of attacks in the U.S. but also in the UK, Canada, and Australia.

The group describes their activities as exclusively “financially motivated” and a policy that does not allow attacks against critical, government and healthcare facilities. Interesting how they present their operational model to the public : “encourages dialogue and resolution rather than chaos and destruction”.

In DarkLab’s Ransomware Report H1 2024, we highlighted how “rookies” are entering the ransomware ecosystem despite the capitalization of the top 5. Lynx looks to be a prepared and designated new entrant to stay in the medium/long term. The density of attacks pertuated since the early days of Lynx’s emergence promise great developments for the group’s future.

The Forest Cat Eyesight

The DarkLab team was able to communicate with Lynx who agreed to answer questions posed by the editorial team. We thank the Lynx staff for sacrificing their time to offer our readers direct information regarding Lynx and their present and future prospects.

RHC: Welcome Lynx to RHC, since this is your first interview present yourself to the public explaining what you do and why you decide to work in this sector

Lynx: Our team consists passionate cybersecurity enthusiasts. As we’ve observed, many companies—both large and small—do not prioritize their cybersecurity efforts adequately. Furthermore, those that do often fall prey to misleading promises from recovery and cybersecurity firms, impacting their overall security posture. While our motivation includes a financial aspect, we are equally driven by a desire to raise awareness about the fragility of cybersecurity on a global scale. It is essential for the broader public to understand and recognize these vulnerabilities and take meaningful action.
We want to emphasize that we are committed to avoiding any negative impact on critical infrastructure. Our goal is solely to shine a light on the pervasive challenges in cybersecurity and encourage proactive measures across industries.

RHC: Lynx group is a new rising star in the RaaS environment. Despite being a new entry, your group rapidly targets companies from different sectors. Why did you start the group and what’s the secret to being that good from the beginning?

Lynx: Our team consistently demonstrates a high level of expertise and dedication, which significantly enhances our groups impact.

RHC: Currently, what are the biggest challenges for ransomware code development?

Lynx: AV evasion

RHC: Your code of conduct is clear “avoid undue harm to organizations” and avoid critical infrastructures/healthcare services. How do you mitigate potential rogue operators to use your product on forbidden victims? You have a process of selection?

Lynx: Our approach involves a careful selection process, ensuring that only approved targets are engaged. This method allows us to maintain a high standard in our operations and achieve our goals effectively.

RHC: “Our operational model encourages dialogue and resolution rather than chaos and destruction”, what’s your approach to negotiation with your victims?

Lynx: Our goal is to work towards a mutually beneficial consensus that not only brings us financial gain but also strengthens the cyber security of the company. We are committed to fostering a positive and constructive dialogue for mutual benefit.

RHC: Your job comes with high risk and high stakes, how does Lynx keep with ransomware activity and at the same time stay safe? Is it worth the risk?

Lynx: There are always inherent risks that come with our field. It’s something we’re all aware of when we choose to be part of this industry. While we can’t eliminate risk entirely, it’s essential that we take proactive steps to mitigate them as much as possible.

RHC: You’re a group has only recently come out of the closet, what do you think sets you apart from other groups and allows you to establish yourselves as the best?

Lynx: We are not gay.

RHC: You claim that your targets are not critical infrastructure but instead territorially there are countries that you will not attack or do you have no borders ?

Lynx: We have no borders or political affiliation just some countries have more money and are more digitalized than others.

RHC: Talking about collaborators, how are you organized? Do you have many people working with you? What is the selection process like for a candidate who wants to join Lynx?

Lynx: This is information which we will not disclose.

RHC: Is the rivalry within your hacker community merely about technical superiority, or is there something deeper, such as geopolitical or economic ambitions? How does the competition between groups influence your actions and the selection of your targets? Could this internal rivalry have the potential to shift global balances or create new strategic alliances?

Lynx: We have no rivalry with any other organizations; our primary focus is on monetary gain while raising awareness about crucial cybersecurity issues among the broader public.

RHC: What would you say to convince potential new collaborators join your group?

Lynx: We are not looking for new collaborators.

RHC: You probably know what happened between LockBit and Operation Cronos, are you worried that law enforcement would put always more efforts on takedown groups like yours? You saw some changes/reaction after Operation Cronos?

Lynx: As we know, every endeavor in our field carries certain inherent risks. However, we remain committed to doing everything we can to mitigate these risks.

RHC: What’s your approach on Initial Access into victim network? You rely on Creadential Broker (and similar) or you prefer do it by yourself?

Lynx: We believe in utilizing both approaches, as it is beneficial to have various avenues available. This diversity allows us to enhance our effectiveness and reach.

RHC: What’s your opinion on other RaaS without an ethic code which attack critical infrastructures or healtcares facilities?

Lynx: There are two types of these groups. It seems that some groups have been causing considerable noise and disruption, because they belive it will increase the chance of payments. While for other groups such actions may stem from limited options in their targets. Generally hospitals, NGOs and government agencies have poorer cyber security.

RHC: Based on your experience, how is security implemented within companies network? What should professionals focus on to improve the state of art?

Lynx: Mainly, the problems arise from human error when it comes to cybersecurity. These issues often stem from simple habits, such as using easy-to-guess passwords, avoiding two-factor authentication (2FA), and managing multiple accounts with the same password. While these may seem like convenient shortcuts, they can significantly compromise our security.

RHC: You ever failed one of your attacks? What was the point of failure?

Lynx: There are potential points of failure at every moment during an attack. As we both know, any unusual behavior in a network can be detected at any stage, making it essential for us to act swiftly and discreetly. By approaching situations with speed and stealth, we can minimize the chance of detection and, ultimately, enhance our overall success.

RHC: Lynx, thanks a lot for your time! Is there anything you’d like to say that we haven’t asked you?

Lynx: We are planning to offer a subscription service that allows clients to request penetration tests for their networks, all while ensuring privacy and security guarantees. We’ve established connections with the leading groups in this line of work, and we are confident in our ability to provide them with a high level of assurance that none of them will compromise their organization’s security. Unlike many recovery and cybersecurity firms that charge significant fees yet often deliver inadequate services, our approach is both cost-effective and straightforward, allowing companies to proactively mitigate potential risks.