pwshub.com

INC ransomware rebranded to Lynx, say security researchers

Researchers at Palo Alto's Unit 42 believe the INC ransomware crew is no more and recently rebranded itself as Lynx over a three-month period.

INC was never a ransomware market leader, but since spinning up in October 2023 it made something of a name for itself with headline-grabbing attacks on the UK's Leicester City Council and NHS Scotland, to name a few.

Lynx, on the other hand, was first spotted in July 2024, and Unit 42's researchers note that the number of detected Lynx samples has outpaced that of INC samples since then.

Graph depicting the number of ransomware sample detections of both Lynx and INC gangs over the previous 12 months, courtesy of Unit 42 – click to enlarge

After two months of Lynx being more prevalent than INC, detections of the latter fell to zero in September, although this alone doesn't necessarily mean it's gone for good. The same number of INC detections (zero) were also noted in January, February, and May, for example.

However, code comparisons often provide better support for suspicions of rebranding and the same is true in this case. Running samples from both ransomware groups through BinDiff revealed a 70.8 percent match in shared functions.

"This significant overlap in shared functions strongly suggests that the developers of Lynx ransomware have borrowed and repurposed a considerable portion of the INC codebase to create their own malicious software," Unit 42 states in a blog.

"Reusing code between different ransomware families is common among cybercriminals. By leveraging preexisting code and building upon the foundations laid by other successful ransomware, threat actors can save time and resources in the development of their own attacks. This can ultimately lead to more successful and widespread campaigns."

The researchers also observe that INC's source code was made available on cybercrime forums from March this year, so in theory there could be all manner of INC iterations released by anyone and a code analysis alone would most likely yield similar results.

INC is still posting victims: new entries to its online leak site were made as recently as October 4, and a cursory examination suggests that it wasn't a repost of an old attack.

A comparison of the two brands' leak sites reveals noticeable similarities. For starters, both INC and Lynx are among a very small cohort of cybercrime groups that have clear web presences – both have TOR and regular leak sites.

  • Healthcare attacks spread beyond US – just ask India's Star Health
  • Ransomware gang Trinity joins pile of scumbags targeting healthcare
  • Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
  • Euro cops arrest 4 including suspected LockBit dev chilling on holiday

The next obvious similarity is the format of the websites. Typically, ransomware gangs have vastly different approaches to designing their leak blogs. It's not often that one gang will have a site that closely resembles that of a rival, but Lynx and INC's sites are laid out in an almost identical fashion.

Comparison of INC and Lynx's leak blogs – click to enlarge

The left-hand toolbar, near-identical section names, presence on the clear web, and rhyming group names suggest that the same individuals may be behind both operations, or that they are at least trying to give that impression.

A statement posted to Lynx's blog states that it refuses to target the likes of hospitals, governments, or other kinds of nonprofits "as these sectors play vital roles in society."

This certainly wasn't the case with INC given its attacks on the NHS and Leicester City Council. Perhaps they turned over a new leaf. Perhaps they're just a bunch of criminals who lie about everything. ®

Source: theregister.com

Related stories
1 month ago - The ransomware gang recruits high-profile affiliates from LockBit and ALPHV As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement...
1 week ago - Cable giant says ransomware involved, FBCS keeps schtum Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was...
2 days ago - USB sticks help, but it's unclear how tools that suck malware from them are delivered A cyberespionage APT crew named GoldenJackal hacked air-gapped PCs belonging to government and diplomatic entities at least twice using two sets of...
1 month ago - New rides span Coco, Avengers, Encanto and Indiana Jones, while new lands coming to the Disney Parks will include Cars, Villains, Avatar and Monsters Inc.
1 month ago - D23 announcements for Disneyland and Disney World spanned Coco, Avengers, Encanto and Indiana Jones rides to all-new lands for Cars, Villains, Avatar and Monsters Inc.
Other stories
44 minutes ago - The second-gen Samsung Freestyle is still at its lowest-ever price of $598 in this remaining Prime Day deal.
44 minutes ago - Prime Day came and went, but you can still take advantage of leftover deals, such as this pair of Beats earbuds for an all-time-low price.
1 hour ago - Prime Day came and went, but there are still plenty of remaining deals that can help you save, such as this 60% discount on an Arlo Pro 5S security cam.
1 hour ago - You're going to have to lose these habits if you want to make more progress on your fitness journey.
1 hour ago - Samsung earbuds are known for their reliable performance and chic design. They don't tend to come cheap, but this Woot deal slashes the price to $152.