October 11, 2024 at 07:05PM
Researchers at Palo Alto’s Unit 42 suggest that the INC ransomware group has rebranded as Lynx following a notable period of attacks. Comparisons reveal a 70.8% code overlap, indicating a shared foundation. Despite INC’s recent activity, both groups exhibit similarities in their operations and web presence, raising questions about their connection.
### Meeting Takeaways on Ransomware Groups INC and Lynx
1. **Rebranding and Evolution**:
– Researchers from Palo Alto’s Unit 42 believe that the INC ransomware group has rebranded itself as Lynx over a three-month period.
– INC, which started in October 2023, did not dominate the ransomware market but gained attention with attacks on entities like Leicester City Council and NHS Scotland.
2. **Emergence of Lynx**:
– Lynx was first detected in July 2024 and has surpassed INC in the number of ransomware sample detections within a two-month window.
– By September 2024, detections for INC fell to zero, although this has occurred in previous months, indicating fluctuations in activity rather than a definitive end.
3. **Code Similarities**:
– Code analysis through BinDiff revealed a 70.8% overlap in shared functions between the two ransomware groups, implying significant code reuse by the Lynx developers from the INC codebase.
– Code reuse is a common tactic among cybercriminals, which allows for quicker development of malicious software.
4. **Ongoing Activity of INC**:
– Despite a drop in sample detections, INC is still operational and has made new entries on its leak site as recently as October 4, indicating continued victim postings.
5. **Website Comparisons**:
– Both INC and Lynx maintain similar leak site designs, revealing a likely connection between the two groups.
– The layout, sections, and presence on both TOR and clear web suggest that the same individuals may operate or aim to associate the two groups.
6. **Claims of Ethical Targeting by Lynx**:
– Lynx’s blog states a refusal to target hospitals, governments, or nonprofits, in contrast to INC, which has attacked such sectors.
– This could reflect a genuine shift in strategy or a deceptive claim by the group.
### Conclusion
The rebranding of INC to Lynx suggests an adaptive strategy in the ransomware space, combining existing tactics with new claims of ethical targeting. Continued monitoring of both activities is essential as the situation evolves.