Lynx ransomware, a malware variant written in the Go programming language, has been identified in cyber attacks attributed to the Buhti ransomware group. This ransomware is designed to encrypt files on compromised systems, appending a specific extension to the affected files and creating a ransom note to demand payment from victims. The use of the Go language allows the malware to be compiled for multiple operating systems, increasing its potential target base.

Investigations into Lynx ransomware incidents have revealed a consistent attack pattern. The threat actors demonstrate a patient, hands-on-keyboard approach, often dwelling within a network for a period before executing the final ransomware payload. This behavior allows them to perform thorough reconnaissance and escalate privileges to maximize the impact of the encryption event.

Initial Access and Reconnaissance

Threat actors deploying Lynx ransomware have been observed gaining initial entry into target networks by exploiting known vulnerabilities. One documented vector is the exploitation of CVE-2021-44228, also known as Log4Shell, a critical vulnerability in the Apache Log4j library. Following a successful exploit, attackers establish persistence and remote access. Analysis of incidents shows the use of legitimate remote access software, such as AnyDesk, which is installed to maintain a foothold within the compromised environment. Once inside, the operators use PowerShell for discovery and reconnaissance, gathering information about the network architecture and identifying high-value targets for encryption.

Lateral Movement and Ransomware Deployment

After establishing initial access and performing reconnaissance, the attackers move laterally across the network to compromise additional systems. This phase of the attack involves the use of tools like PsExec to execute commands on remote machines. The operators also utilize credential harvesting techniques to acquire legitimate account credentials, further enabling their movement. Before deploying the ransomware, the actors take steps to disable security software to prevent detection and interference. The final stage involves the execution of the Lynx ransomware payload, which systematically encrypts files on targeted devices, including servers and workstations. A ransom note is then created on the encrypted systems, providing instructions for the victim to follow.

Source: https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/