INC ransomware rebrands to Lynx – same code, new name, still up to no good

Researchers at Palo Alto's Unit 42 believe the INC ransomware crew is no more and recently rebranded itself as Lynx over a three-month period.

INC was never a ransomware market leader, but since spinning up in October 2023 it made something of a name for itself with headline-grabbing attacks on the UK's Leicester City Council and NHS Scotland, to name a few.

Lynx, on the other hand, was first spotted in July 2024, and Unit 42's researchers note that the number of detected Lynx samples has outpaced that of INC samples since then.

After two months of Lynx being more prevalent than INC, detections of the latter fell to zero in September, although this alone doesn't necessarily mean it's gone for good. The same number of INC detections (zero) were also noted in January, February, and May, for example.

However, code comparisons often provide better support for suspicions of rebranding and the same is true in this case. Running samples from both ransomware groups through BinDiff revealed a 70.8 percent match in shared functions.

"This significant overlap in shared functions strongly suggests that the developers of Lynx ransomware have borrowed and repurposed a considerable portion of the INC codebase to create their own malicious software," Unit 42 states in a blog.

"Reusing code between different ransomware families is common among cybercriminals. By leveraging preexisting code and building upon the foundations laid by other successful ransomware, threat actors can save time and resources in the development of their own attacks. This can ultimately lead to more successful and widespread campaigns."

The researchers also observe that INC's source code was made available on cybercrime forums from March this year, so in theory there could be all manner of INC iterations released by anyone and a code analysis alone would most likely yield similar results.

INC is still posting victims: new entries to its online leak site were made as recently as October 4, and a cursory examination suggests that it wasn't a repost of an old attack.

A comparison of the two brands' leak sites reveals noticeable similarities. For starters, both INC and Lynx are among a very small cohort of cybercrime groups that have clear web presences – both have TOR and regular leak sites.

• Healthcare attacks spread beyond US – just ask India's Star Health
• Ransomware gang Trinity joins pile of scumbags targeting healthcare
• Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
• Euro cops arrest 4 including suspected LockBit dev chilling on holiday

The next obvious similarity is the format of the websites. Typically, ransomware gangs have vastly different approaches to designing their leak blogs. It's not often that one gang will have a site that closely resembles that of a rival, but Lynx and INC's sites are laid out in an almost identical fashion.

The left-hand toolbar, near-identical section names, presence on the clear web, and rhyming group names suggest that the same individuals may be behind both operations, or that they are at least trying to give that impression.

A statement posted to Lynx's blog states that it refuses to target the likes of hospitals, governments, or other kinds of nonprofits "as these sectors play vital roles in society."

This certainly wasn't the case with INC given its attacks on the NHS and Leicester City Council. Perhaps they turned over a new leaf. Perhaps they're just a bunch of criminals who lie about everything. ®