Lynx Ransomware – There’s A New Kid On The Block!

Blog Single

Security firm Darktrace has shined light on an emerging ransomware group dubbed Lynx which is known for targeting organisations in the finance, architecture, retail, energy, and manufacturing sectors.

Despite initiating operations in mid-2024, Lynx has quickly become a dominant player in the ransomware landscape, compromising dozens of organisations in a short span. In January 2025, the IT-ISAC attributed 42 attacks to Lynx, making it the most active ransomware group of the month, ahead of Akira (37) and RansomHub (35).

Cyber threats are a persistent concern, and they are only growing in momentum and complexity. With the emergence of AI systems, hackers now have a powerful tool at their disposal to increase the odds of their success. But despite being aware of this, and hearing the frequent reports of high-profile hacking incidents, many organisations still lack a clear understanding of how they would respond if faced with a “punch in the face”, and don’t have a solid plan for recovery in place. Worse still, some don’t even have sufficient security in place to meet their business needs.

The group typically gains initial access through phishing campaigns that deploy malicious links or attachments. Lateral movement is facilitated by compromised administrative credentials, likely obtained through credential stuffing or brute-force attacks.

To complicate recovery, Lynx terminates backup-related processes and deletes shadow volume copies that aren’t air-gapped.

So How do you Mitigate?

Backup your data offsite and keep the backups “offline”: Ensure that backups are regularly tested and that they are not connected to the business network or recovery will be impossible. Where you can, ensure your backup system has immutable or “air-gapped” copies offline so you can ensure recovery.

DID YOU KNOW? Seccom Global’s Cloud First Managed Backup & recovery solution provides an immutable, “air-gapped” copy of your data in the cloud to ensure recovery if the worst happens?

Update and patch systems promptly: This is one of the Australian Government’s Essential 8 core components for a reason!

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan:

  • Are you able to sustain business operations without access to certain systems?
  • Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Conduct Regular testing of your security controls or have ongoing detection and response in place to quickly identify anomalies: Ideally, some sort of Network detection and response capability should be in place – but at the very least Pen testing and Scanning should be done regularly.

DID YOU KNOW? Seccom Global provides fully Managed Detection and Response across Endpoint, Network (including complex OT environments), Cloud and Mobile via one single platform dashboard, with an option to deploy a Ransomware Sensor, add Dark Web Monitoring or Identity based threats – all with forensics and incident response included in the fixed monthly fee.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.

Continuous and Ongoing Security Awareness Training of your Team: Email remains the most vulnerable attack vector for organisations. Users should be trained on how to avoid and spot phishing emails, and tested regularly.

DID YOU KNOW? Seccom Global provide Managed Cyber Awareness Training via the Proofpoint platform? For a cost-effective monthly fee, we can assist you create a program for your team and set the tasks for the year to be completed by your team, run phishing campaigns as required and provide reporting on the results each month.