Cyble LYNX Ransomware

Overview

The Romanian National Cyber Security Directorate (DNSC) has issued a critical advisory urging all entities, especially those in the energy sector, to scan their IT and critical infrastructure for malicious binaries associated with the LYNX ransomware cybercrime group. This recommendation follows a ransomware attack targeting the Electrica Group, Romania’s leading energy provider.

DNSC said even organizations unaffected by the attack must act proactively to detect and mitigate potential risks. The Directorate advised using the provided YARA scanning scripts to identify the malicious binary and prevent further infiltration.

The Electrica Group Ransomware Incident

On December 9, 2024, the Electrica Group reported a ransomware attack to DNSC and claimed that the ‘cyberattack was in progress.’ The incident prompted immediate intervention from DNSC specialists and other national authorities. While critical power supply systems remain operational, investigations into the attack are ongoing.

Electrica Group, in its notification to the London Stock Exchange, reassured its commitment to managing the incident swiftly and transparently. CEO Alexandru Aurelian Chirita told stakeholders that the company’s primary focus is maintaining the continuity of electricity distribution and protecting sensitive data.

The Group urged consumers to remain vigilant against potential scams and avoid sharing personal information through unsecured channels.

Validated Indicators of Compromise (IOCs)

DNSC has released critical technical details to aid entities in identifying LYNX ransomware activity. Key IOCs include:

  • File hash: c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72
  • Malicious URL: hXXp://lynxblog.net/

The accompanying YARA rules were specifically designed to detect LYNX ransomware binaries. Entities should use these rules to perform thorough scans of their IT environments.

YARA Rules:

rule ransomware_LYNX_1 {

   meta:

      description = “Detect LYNX ransomware”

      author = “DNSC”

      date = “2024-12-10”

      hash1 = “c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72”

   strings:

      $s1 = “[+] Successfully decoded readme!” fullword ascii

      $s2 = “[-] Failed to get service information for %s: %s” fullword wide

      $s3 = “–file C:\temp.txt,D:\temp2.txt” fullword ascii

      $s4 = “–file C:\temp.txt” fullword ascii

      $s5 = “AppPolicyGetProcessTerminationMethod” fullword ascii

      $s6 = “[-] Failed to open service manager for %s: %s” fullword wide

      $s7 = “[-] Failed to open service handle for %s: %s” fullword wide

      $s8 = “[-] Failed to enum dependent services for %s: %s” fullword wide

      $s9 = “[-] Failed to kill dependent services for %s: %s” fullword wide

      $s10 = “[%s] Try to stop processes via RestartManager” fullword wide

      $s11 = “[%s] Kill processes and services” fullword wide

      $s12 = “Load hidden drives (will corrupt boot loader)” fullword ascii

      $s13 = “README.txt” fullword wide

      $s14 = “[-] Failed to mount %s: %s” fullword wide

      $s15 = “[-] Failed to decode readme: %s” fullword ascii

      $s16 = “Try to stop processes via RestartManager” fullword ascii

      $s17 = “Kill processes/services” ascii fullword

      $s18 = “–stop-processes ” ascii fullword

      $s19 = “–stop-processes” fullword wide

      $s20 = “[%s] Encrypt network shares” fullword wide

      $op0 = { e8 22 c8 01 00 01 46 30 6a 00 11 56 34 6a 13 ff }

      $op1 = { 23 d1 89 55 d0 8b 55 e4 81 f2 ff ff ff 03 f7 d2 }

      $op2 = { 23 d1 89 55 d4 8b d7 81 f2 ff ff ff 01 f7 d2 8b }

condition:

      uint16(0) == 0x5a4d and file size < 500KB and

      ( 8 of them and all of ($op*) )

}

rule ransomware_LYNX_2 {

   meta:

      description = “Detect LYNX ransomware”

      score = 80

                md5 = “2E8607221B4AB0EB80DE460136700226”

   strings:

      $s1 = “tarting full encryption in” wide

      $s2 = “oad hidden drives” wide

      $s3 = “ending note to printers” ascii

      $s4 = “successfully delete shadow copies from %c:/” wide

      $op1 = { 33 C9 03 C6 83 C0 02 0F 92 C1 F7 D9 0B C8 51 E8 }

      $op2 = { 8B 44 24 [1-4] 6A 00 50 FF 35 ?? ?? ?? ?? 50 FF 15}

      $op3 = { 57 50 8D 45 ?? C7 45?? 00 00 00 00 50 6A 00 6A 00 6A 02 6A 00 6A 02 C7 45 ?? 00 00 00 00 FF D6 FF 75 ?? E8?? ?? ?? ?? 83 C4 04 8B F8 8D 45 ?? 50 8D 45 ?? 50 FF 75 ?? 57 6A 02 6A 00 6A 02 FF D6 }

      $op4 = { 6A FF 8D 4? ?? 5? 8D 4? ?? 5? 8D 4? ?? 5? 5? FF 15?? ?? ?? ?? 85 C0 }

      $op5 = { 56 6A 00 68 01 00 10 00 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 74 ?? 6A 00 56 FF 15 ?? ?? ?? ?? 68 88 13 00 00 56 FF 15 ?? ?? ?? ?? 56 FF 15}

   condition:

      uint16(0) == 0x5A4D and

      (

         3 of ($s*)

         or 3 of ($op*)

         or (2 of ($s*) and 2 of ($op*) )

      )

}

Recommendations for Incident Containment

DNSC advises all organizations, particularly in the energy sector, to adopt the following steps immediately:

Scan and Isolate:

  • Use the YARA scanning script to identify the malicious binary.
    • Isolate affected systems from the network to prevent further spread.

Preserve Evidence:

  • Retain copies of ransom notes and communications from attackers for investigative purposes.
    • Collect relevant logs from affected devices, network equipment, and firewalls.

Analyze and Secure:

  • Examine system logs to identify the initial compromise vector.
    • Update all software, applications, and operating systems to address known vulnerabilities.

Notify Stakeholders:

  • Inform employees, customers, and business partners about the incident.
    • Remain vigilant against phishing messages purporting to be from trusted entities.

Leverage Available Resources:

Broader Call to Action

DNSC’s proactive measures highlight the escalating threats facing critical infrastructure. The energy sector, often targeted due to its vital role, must remain vigilant. The Directorate stresses that paying the ransom is strongly discouraged, as it fuels criminal activities and does not guarantee data recovery.

DNSC’s collaboration with national authorities underscores the importance of a united response to cyber threats. Organizations must implement robust security practices and participate in information-sharing initiatives to strengthen collective defenses.

A Critical Reminder

The LYNX ransomware attack shows the vulnerabilities within IT and operational technology infrastructures. While Electrica Group’s critical systems remain intact, the incident showcases the importance of proactive measures, including scanning for IOCs, isolating threats, and updating defenses.

Organizations across all sectors should act decisively to safeguard their operations. DNSC’s guidance is a roadmap for preventing ransomware attacks and minimizing their impact on critical infrastructure. By taking these steps, entities can strengthen their cybersecurity posture and contribute to a safer digital ecosystem.

References:

https://dnsc.ro/citeste/alerta-lynx-ransomware-indicators-of-compromise-iocs

https://www.londonstockexchange.com/news-article/ELSA/cyber-attack-in-progress/16802405

The post Romania Urges Energy Sector of Proactive Scanning Amid LYNX Ransomware Threat appeared first on Cyble.