TL;DR

1. Double Extortion Tactics: Both Lynx and Cicada3301 employ double extortion tactics, exfiltrating data before encrypting it to increase pressure on victims to pay the ransom.
2. Phishing and Malicious Downloads: Lynx disseminates its ransomware through phishing emails and malicious downloads, while Cicada3301 uses phishing, PsExec, and RDP for initial access.
3. Advanced Encryption Algorithms: Lynx uses AES-128 and Curve25519 Donna encryption algorithms, while Cicada3301's ransomware is written in Rust, enhancing its evasion capabilities.
4. Service and Process Termination: Lynx ransomware terminates services and processes, encrypts network drives, and deletes shadow copies and backup partitions to maximize its impact.
5. Code Reuse and Evolution: Lynx has repurposed code from INC ransomware, and Cicada3301 has built upon the BlackCat codebase, indicating a trend of code reuse and evolution among ransomware groups.
6. Targeted Sectors and Regions: Lynx targets sectors such as retail, real estate, architecture, financial, and environmental services in the U.S. and UK, while Cicada3301 targets financial services, real estate, and retail sectors in regions like India, Japan, and South Korea.
7. Ransomware-as-a-Service (RaaS): Both Lynx and Cicada3301 operate using a RaaS model, allowing them to recruit affiliates and expand their reach.

Research Summary

The threat actors "Lynx" and "Cicada3301" have been active in recent cyber campaigns, employing sophisticated tactics, techniques, and procedures (TTPs) to target various sectors. Lynx, a rebranding of the INC ransomware, has been particularly active in the U.S. and UK, targeting sectors such as retail, real estate, architecture, financial, and environmental services. Cicada3301, emerging as a successor to the BlackCat ransomware group, has been involved in ransomware-as-a-service (RaaS) operations, targeting sectors like financial services, real estate, and retail.

Lynx Ransomware Tactics

Lynx ransomware employs a double extortion tactic, where it exfiltrates data before encrypting it, leveraging phishing emails, malicious downloads, and hacking forums for dissemination. The ransomware uses AES-128 and Curve25519 Donna encryption algorithms, and it is designed for the Windows platform. Notably, Lynx ransomware has been observed terminating services and processes, encrypting network drives, and deleting shadow copies and backup partitions to maximize its impact.

Cicada3301 Ransomware Tactics

Cicada3301, on the other hand, has been linked to the use of Akira ransomware and shares code with the BlackCat malware. This group also employs double extortion tactics and has been known to use phishing, PsExec, and RDP for initial access. Cicada3301's ransomware is written in Rust, making it more challenging to detect and analyze. The group has targeted regions such as India, Japan, and South Korea, focusing on financial services, real estate, and retail sectors.

Evolution and Adaptation

Both threat actors have shown a pattern of evolving their methodologies to enhance their effectiveness. Lynx has repurposed code from INC ransomware, while Cicada3301 has built upon the BlackCat codebase. These groups have also been observed using sophisticated techniques to evade detection and maximize their impact, such as leveraging the Restart Manager API and employing advanced encryption algorithms.

Targeted Sectors and Regions

Lynx targets sectors such as retail, real estate, architecture, financial, and environmental services in the U.S. and UK, while Cicada3301 targets financial services, real estate, and retail sectors in regions like India, Japan, and South Korea. Both groups operate using a RaaS model, allowing them to recruit affiliates and expand their reach.

Assessment Rating

Rating: HIGH

The assessment rating is high due to the sophisticated and evolving nature of the TTPs employed by Lynx and Cicada3301, their use of double extortion tactics, and their targeting of critical sectors and regions. The potential for significant financial and operational impact on targeted organizations further elevates the threat level.

Attribution

Historical Context

Lynx is a rebranding of the INC ransomware, which initially surfaced in August 2023. Cicada3301 emerged as a successor to the BlackCat ransomware group, leveraging similar code and tactics.

Timeline

• August 2023: INC ransomware surfaces.
• March 2024: INC ransomware source code available for sale.
• July 2024: Lynx ransomware identified as a successor to INC ransomware.
• September 2024: Cicada3301 identified as a successor to BlackCat.

Origin

Lynx is believed to be operated by a financially motivated cybercriminal group, while Cicada3301 is linked to the BlackCat ransomware group, with potential ties to Russian cybercriminals.

Countries Targeted

1. United States - Lynx targets various sectors, including retail and financial services.
2. United Kingdom - Lynx targets sectors such as real estate and architecture.
3. India - Cicada3301 targets financial services and real estate sectors.
4. Japan - Cicada3301 targets retail and financial services sectors.
5. South Korea - Cicada3301 targets various sectors, including financial services.

Sectors Targeted

1. Financial Services - Both Lynx and Cicada3301 target this sector.
2. Retail - Both threat actors target retail organizations.
3. Real Estate - Cicada3301 targets this sector, along with Lynx.
4. Architecture - Lynx targets this sector.
5. Environmental Services - Lynx targets this sector.

Motivation

Both Lynx and Cicada3301 are financially motivated, employing ransomware to extort money from their victims.

Attack Types

• Double Extortion: Exfiltrating data before encrypting it.
• Phishing: Using phishing emails to gain initial access.
• Malicious Downloads: Distributing ransomware through malicious downloads.
• PsExec and RDP: Used by Cicada3301 for initial access.

Known Aliases

1. INC Ransomware (Lynx)
   • Lynx is a rebranding of INC ransomware.
2. BlackCat (Cicada3301)
   • Cicada3301 is a successor to the BlackCat ransomware group.

Links to Other APT Groups

1. BlackCat
   • Origin: Russian cybercriminal group.
   • Relationship: Cicada3301 is a successor to BlackCat, sharing code and tactics.

Similar Threat Actor Groups

1. REvil

   • Similarities: Use of double extortion tactics and RaaS model.
   • Origin: Russian cybercriminal group.

2. Conti

   • Similarities: Advanced encryption techniques and service termination.
   • Origin: Russian cybercriminal group.

Counter Strategies

1. Enhanced Email Security: Implement advanced email filtering and phishing detection to prevent initial access through phishing emails.

   • Actionable Takeaways: Train employees to recognize phishing attempts and report suspicious emails.

2. Network Segmentation: Segment networks to limit the spread of ransomware and protect critical systems.

   • Actionable Takeaways: Implement strict access controls and monitor network traffic for unusual activity.

Known Victims

1. Electrica Group - Lynx ransomware attack on Romania's energy provider.

   • Actionable Takeaways: Strengthen cybersecurity measures for critical infrastructure.

2. SRP Federal Credit Union - Compromised by Nitrogen ransomware.

   • Actionable Takeaways: Enhance data protection and incident response capabilities.

Forecast

Short-Term Forecast (3-6 months)

1. Increased Targeting of Financial and Retail Sectors by Lynx and Cicada3301

   • Both Lynx and Cicada3301 have shown a pattern of targeting financial services and retail sectors. Given the high value of data and the potential for significant financial gain, these sectors will continue to be prime targets. Lynx's use of double extortion tactics and Cicada3301's advanced evasion techniques will likely lead to more sophisticated and damaging attacks.
   • Examples and references:
     • (2024-12-16) 16th December Threat Intelligence Report
     • (2024-10-10) Lynx Ransomware: A Rebranding of INC Ransomware

2. Evolution of Phishing Techniques

   • Both groups have been leveraging phishing for initial access. In the short term, we can expect more sophisticated phishing campaigns, including spear-phishing and the use of AI-generated content to increase the success rate of these attacks.
   • Examples and references:
     • (2024-09-10) Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

3. Increased Use of Ransomware-as-a-Service (RaaS)

   • Both Lynx and Cicada3301 operate using a RaaS model. This trend will continue to grow, with more affiliates joining these platforms, leading to a higher volume of attacks.
   • Examples and references:
     • (2024-09-10) Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

Long-Term Forecast (12-24 months)

1. Advanced Evasion Techniques and Encryption Algorithms

   • Lynx and Cicada3301 will continue to develop and implement more advanced evasion techniques and encryption algorithms. This will make detection and mitigation more challenging for security teams.
   • Examples and references:
     • (2024-10-10) Lynx Ransomware: A Rebranding of INC Ransomware
     • (2024-09-10) Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

2. Expansion to New Geographical Regions

   • While Lynx has primarily targeted the U.S. and UK, and Cicada3301 has focused on India, Japan, and South Korea, both groups are likely to expand their operations to new regions, including Europe and Southeast Asia, to exploit less prepared targets.
   • Examples and references:
     • (2024-12-16) 16th December Threat Intelligence Report

3. Integration of AI and Machine Learning in Attack Strategies

   • Both threat actors will likely integrate AI and machine learning to enhance their attack strategies, making their campaigns more adaptive and harder to predict.
   • Examples and references:
     • (2024-09-10) Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

Future Considerations

Important Considerations

1. Focus on Advanced Detection and Response Capabilities

   • Organizations need to invest in advanced detection and response capabilities, such as Endpoint Detection and Response (EDR) and Network Detection and Response (NDR), to effectively counter the sophisticated TTPs of Lynx and Cicada3301.
   • Examples and references:
     • (2024-10-10) Lynx Ransomware: A Rebranding of INC Ransomware

2. Enhanced Employee Training Programs

   • Given the reliance on phishing for initial access, enhancing employee training programs to recognize and report phishing attempts will be crucial in mitigating these threats.
   • Examples and references:
     • (2024-09-10) Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

Less Important Considerations

1. Tracking of Lesser-Known Affiliates

   • While tracking the main threat actors is crucial, focusing too much on lesser-known affiliates may divert resources from more significant threats.
   • Examples and references:
     • (2024-09-10) Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

2. Overemphasis on Historical Attack Patterns

   • While historical attack patterns provide valuable insights, overemphasis on them may lead to missing out on emerging trends and new TTPs.
   • Examples and references:
     • (2024-10-10) Lynx Ransomware: A Rebranding of INC Ransomware

Further Research

Breaches and Case Studies

1. Electrica Group - December 2024

   • Description: Lynx ransomware attack on Romania's energy provider.
   • Actionable Takeaways: Implement robust cybersecurity measures for critical infrastructure.

2. SRP Federal Credit Union - October 2024

   • Description: Nitrogen ransomware attack compromising personal data.
   • Actionable Takeaways: Enhance data protection and incident response capabilities.

Followup Research Questions

1. What are the specific countermeasures that have been effective against Lynx and Cicada3301 ransomware attacks?
2. How have the TTPs of Lynx and Cicada3301 evolved over the past year?
3. What are the commonalities and differences in the TTPs of Lynx and Cicada3301 compared to other similar threat actors?
4. What are the potential future trends in ransomware tactics that organizations should be aware of?

Recommendations, Actions and Next Steps

1. Implement Advanced Email Security: Deploy advanced email filtering and phishing detection solutions to prevent initial access through phishing emails.
2. Enhance Network Segmentation: Segment networks to limit the spread of ransomware and protect critical systems.
3. Conduct Regular Security Training: Train employees to recognize phishing attempts and report suspicious emails.
4. Deploy Endpoint Detection and Response (EDR): Implement EDR solutions to detect and respond to ransomware activities in real-time.
5. Regularly Update and Patch Systems: Ensure all systems are regularly updated and patched to mitigate vulnerabilities.

APPENDIX

References and Citations

1. (2024-12-16) - 16th December Threat Intelligence Report
2. (2024-10-10) - Lynx Ransomware: A Rebranding of INC Ransomware
3. (2024-09-10) - Threat Assessment: Repellent Scorpius, Distributors of Cicada3301

Mitre ATTACK TTPs

1. T1486 - Data Encrypted for Impact
2. T1078 - Valid Accounts
3. T1566 - Phishing
4. T1021 - Remote Services
5. T1059 - Command and Scripting Interpreter

Mitre ATTACK Mitigations

1. M1041 - Encrypt Sensitive Information
2. M1053 - Data Backup
3. M1030 - Network Segmentation
4. M1026 - Privileged Account Management
5. M1056 - Pre-compromise Security Training

AlphaHunt

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0