Lynx Ransomware Targets Romanian Energy Supplier Electrica

• The Lynx ransomware operation typically targets the energy, oil, and gas sectors.
• Romania’s DNSC has provided a YARA script to detect signs of this ransomware.
• Electrica Group continues to operate without significant disruptions.

Earlier this week, we reported that one of Romania’s electricity distributors, Electrica Group, was targeted by a cyber-attack. Electrica is among the key players in Romania’s electricity distribution, and it currently has over 3.8 million customers across several regions, such as Transilvania and Muntenia.

Since the company is double-listed on the Bucharest and London stock exchanges, we learned about the incident from a note to investors published when the first signs of this data intrusion were detected.

Thanks to Electrica’s prompt reaction, none of the company’s core systems were affected, which would otherwise have had serious consequences for many customers. We also heard from Romania’s Energy Minister that Electrica was targeted by ransomware, and today, we have more information about that cyber-security incident.

Romania’s DNSC (National Directorate of Cyber Security) responded to the scene to help resolve the issue and ensure that none of the critical energy supply systems were affected. Their investigation also revealed that the Lynx ransomware operation was responsible for the incident and provided a YARA script to assist other teams in detecting signs of this ransomware on their systems.

As DNSC notes, it “recommends that all entities, especially those in the energy sector, regardless of whether or not they have been affected by the ransomware attack, supported by the LYNX Ransomware cybercrime group, to scan their IT&C infrastructure for the malicious binary (crypto) by using the YARA scanning script.”

The Center for Internet Security (CIS) notes that Lynx ransomware has been active since at least July 2024 and has targeted nearly 80 victims in the last six months. The group behind this ransomware typically uses phishing tactics to compromise victim credentials, after which they terminate system processes like anti-virus and backup software. They also make data recovery more difficult by targeting shadow copies and practicing double extortion techniques.

The group behind the Lynx ransomware is believed to rely on an encryptor based on the source code of INC Ransom malware, which was sold on Expolit and XSS hacking forums for $300,000 in May of this year. Before being sold, INC Ransom was responsible for numerous breaches of education, healthcare, government, and industrial entities.