What is the relationship between INC Ransomware and Lynx?

Lynx emerged in mid-2024 with significant code overlap with INC Ransomware, suggesting a potential connection.

INC Ransomware Thrives with Basic Intrusion Techniques and Targeted High-Pressure Sectors

Q: How does INC Ransomware demand payment from victims?

INC Ransomware uses double extortion tactics, stealing sensitive data before encrypting systems to maximize pressure on victims.

Q: Why was there a CISA order to federal agencies regarding a Joomla plugin flaw?

The CISA ordered federal agencies to patch a maximum-severity Joomla plugin flaw because it allows unauthenticated attackers to upload and execute PHP code, creating serious risk for exposed Joomla deployments using the affected plugin.

A report reveals how INC Ransomware, a significant global threat, maximizes revenue by focusing on practical methods like stolen credentials, phishing, and unpatched remote services. The group also uses affiliate scalability to expand its reach.

Ransomware attacks have been on the rise, and a recent report highlights how one group, INC Ransomware, has managed to thrive by mastering the basics of intrusion methods. According to Dark Reading, INC Ransomware focuses on practical, repeatable techniques such as stolen credentials, phishing, and unpatched remote services, rather than novel tooling.

What Happened

The report notes that INC Ransomware has grown by targeting high-pressure sectors, including healthcare, where a ransomware disruption creates immediate pressure to pay up. This approach allows the group to maximize its revenue and maintain a strong presence in the cybercrime landscape. Additionally, the group's use of affiliate scalability, where other actors conduct intrusions in exchange for a share of ransom proceeds, has enabled it to expand its reach and adapt to changing circumstances.

The Dark Reading article also highlights the importance of patching vulnerabilities, as seen in the recent CISA order to federal agencies to patch a maximum-severity Joomla plugin flaw. The vulnerability allows unauthenticated attackers to upload and execute PHP code, creating serious risk for exposed Joomla deployments using the affected plugin. This emphasizes the need for organizations to prioritize security and stay up-to-date with the latest patches and updates.

Background and Context

INC Ransomware is a ransomware-as-a-service (RaaS) operation that emerged in mid-2023 and has since established itself as a significant threat to organizations worldwide. The group employs double extortion tactics, stealing sensitive data before encrypting systems, to maximize pressure on victims. This approach allows the group to demand higher ransoms and increase its revenue.

A recent article by Provendata provides an overview of INC Ransomware's operational characteristics, attack lifecycle, and practical guidance for response, recovery, and prevention. The article notes that the group is financially motivated with no confirmed ties to state sponsorship and maintains leak sites on the Tor network where victim data is published if ransom payments are not made.

The relationship between INC Ransomware and another variant called Lynx is also explored in the article. Lynx emerged in mid-2024 with significant code overlap, approximately 48% overall similarity and up to 70% similarity in shared functions, suggesting a strong connection between the two groups. Organizations are advised to treat INC and Lynx as part of the same threat lineage, using detection rules and indicators developed for INC to identify Lynx activity.

Why it Matters to the Industry

The rise of ransomware attacks like those carried out by INC Ransomware highlights the importance of robust security measures in the adult industry. With the increasing use of online platforms and services, organizations must prioritize patching vulnerabilities, implementing robust access controls, and staying up-to-date with the latest security best practices.

The use of affiliate scalability by INC Ransomware also underscores the need for organizations to be vigilant against insider threats and ensure that their employees are aware of the risks associated with phishing attacks and other intrusion methods. By understanding the tactics and techniques used by ransomware groups, organizations can better prepare themselves for potential attacks and reduce the risk of successful intrusions.

What Comes Next

The recent patching of a critical command execution flaw in Cisco ISE highlights the importance of staying up-to-date with the latest security patches and updates. Organizations must prioritize patching vulnerabilities, implement robust access controls, and stay informed about emerging threats to ensure their online platforms and services remain secure.

Key Facts

INC Ransomware has grown by focusing on practical, repeatable intrusion methods rather than novel tooling.
The group targets high-pressure sectors, including healthcare, where a ransomware disruption creates immediate pressure to pay up.
INC Ransomware employs double extortion tactics, stealing sensitive data before encrypting systems, to maximize pressure on victims.
Lynx emerged in mid-2024 with significant code overlap, approximately 48% overall similarity and up to 70% similarity in shared functions, suggesting a strong connection between the two groups.
Organizations should treat INC and Lynx as part of the same threat lineage, using detection rules and indicators developed for INC to identify Lynx activity.

Recommendations

In light of these developments, we recommend that organizations in the adult industry prioritize patching vulnerabilities, implement robust access controls, and stay up-to-date with the latest security best practices. By understanding the tactics and techniques used by ransomware groups, organizations can better prepare themselves for potential attacks and reduce the risk of successful intrusions.