We are aware of a security breach that is believed to be in the form of Lynx ransomware.
We would like to provide the following information and warnings regarding the situation.

Lynx ransomware

The ransomware is called Lynx and it appears to be changing the filename.extension.LYNX to all files.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• It is a C++-based ransomware that uses a duplicate storage mutex and uses GetLogicalDrives to attack not only regular drives but also external devices and network drivers. One notable feature is that during the attack, it additionally searches for “microsoft sql server” in the “Program Files” (both x64/x86) folder location. After the attack is complete, it issues a printer command to all available targets using OpenPrinter.

  
  [Figure 3 Code to check the drive and description of GetDriveType in MS documentation]

  
  [Figure 4 Internal code for creating an image in the Temp folder and the created image]

  
  [Figure 5: Relevant code for issuing printer commands after an attack]

Infection results

A guide file is created in each folder location with the name <README.txt>, and each encrypted file is changed to <file name.extension.Lynx>.

[Figure 6 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 7 Blocking Message]

Go watch the Lynx blocking video