Introduction
On July 22, 2025, AttackIQ introduced Ransom Tales, an initiative focused on routinely emulating the Tactics, Techniques, and Procedures (TTPs) associated with the prolific ransomware families currently dominating the threat landscape. Each volume in this series is designed to dissect the operational behaviors of multiple ransomware families and translate them into realistic emulations that defenders can employ to rigorously challenge their security controls and enhance resilience against disruptive and extortive threats.
In this third volume, AttackIQ presents three new attack graphs that emulate the Tactics, Techniques and Procedures (TTPs) associated with the INC, Lynx and SafePay ransomware families with the objective of assisting customers in validating their security controls and their ability to defend against these disruptive and extortive threats.
Validating your security program performance against these behaviors is vital in reducing risk. By employing these assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against baseline behaviors associated with prolific and sophisticated ransomware strains.
- Assess their security posture against opportunistic and financially motivated adversaries that do not discriminate when selecting their targets.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the adversaries currently focused on ransomware activities.
Malware Emulation – INC
INC Ransomware – 2024-10 – Associated Tactics, Techniques and Procedures (TTPs)
INC, also known as GOLD IONIC and Water Anito, is a sophisticated ransomware and data extortion operation that emerged in July 2023. Since its emergence, it has established itself as a notable threat within the ransomware ecosystem, employing a double extortion model that combines data theft with encryption and public exposure. It is known for its broad targeting across industries and geographies, with activities spanning the Healthcare, Education, Government, Technology, and Manufacturing sectors, particularly in the United States and Europe.
Operators of INC ransomware position themselves as a “service” to their victims, framing ransom payments as an approach to “safeguard reputation” while claiming that disclosure of their intrusion methods ultimately strengthens the victim’s security posture. They operate two Dedicated Leak Sites (DLSs): a victim-only portal that requires login credentials supplied by the operators, used for negotiations and communication, and a public leak site where stolen information is published if victims refuse to comply.
From a technical standpoint, INC demonstrates sophisticated tradecraft, leveraging multiple malware families and legitimate tools to conduct its activities. This includes the use of AdFind for reconnaissance, PsExec for remote command execution, and Rclone for data exfiltration.
In December 2023, the group released a Linux variant of its ransomware, followed by an updated Windows version in March 2024. Months later, in July 2024, the Lynx ransomware group, also tracked as Water Lalawag, allegedly purchased source code from the INC operators, though these claims remain unconfirmed.
Initial Access & Persistence – INC Ransomware Deployment
This stage begins with the deployment of the INC ransomware, executed through the creation of a new process using Windows Management Instrumentation (WMI). Once operational, it establishes persistence through the creation of a new service and attempts to detect the presence of a debugger through the IsDebuggerPresent Windows API.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Windows Management Instrumentation (WMI) (T1047): This scenario executes a binary by using the Windows Management Instrumentation (WMI) console.
Create or Modify System Process: Windows Service (T1543.003): This scenario creates a service through the SC Windows utility.
Virtualization/Sandbox Evasion (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
Discovery & Credential Access – Account Discovery
This stage begins with system information discovery using the GetSystemInfo API and the retrieval of the Machine Globally Unique Identifier (GUID) from the Windows Registry.
Next, it performs volume discovery through the FindFirstVolumeW and FindNextVolumeW APIs, determines drive types via GetDriveTypeW, and conducts file enumeration across accessible volumes using the FindFirstFileW and FindNextFileW APIs.
Finally, INC encrypts the identified files using a combination of AES-256 in CBC mode for file encryption with RSA-2048 for key encryption.
System Information Discovery (T1082): This scenario executes the GetSystemInfo Windows native API call to retrieve system information. This can be used to detect sandboxes, create unique identifiers, and adjust execution behaviors.
Query Registry (T1012): This scenario queries the MachineGUID value located within the HKLM\SOFTWARE\Microsoft\Cryptography registry key which contains the unique identifier of the system.
System Information Discovery (T1082): This scenario executes the FindFirstVolumeW and FindNextVolumeW Windows API calls to iterate through the available volumes of the system.
System Information Discovery (T1082): This scenario executes the GetDriveTypeW Windows API call to retrieve information regarding the system’s physical drives.
File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by INC ransomware.
Malware Emulation – Lynx
Lynx Ransomware – 2024-10 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of Lynx ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
Lynx is a highly capable ransomware strain, operated under the Ransomware-as-a-Service (RaaS) business model, that emerged in July 2024. In its launch statement, the operators described their operation as financially motivated yet “ethical” asserting a self-imposed policy against targeting Governments, Hospitals, or Non-profit Organizations. Since its emergence, Lynx has targeted multiple organizations across diverse industries, including Retail, Real Estate, Architecture, Finance, and Environmental Services, primarily in the United States and the United Kingdom.
Technical analysis indicates that Lynx exhibits significant code overlap with INC ransomware, suggesting its operators have acquired and repurposed INC’s source code. Although INC supports both Windows and Linux variants, Lynx has so far only been observed in Windows samples.
Once operational, Lynx encrypts critical files, appends the “.lynx” extension, and systematically deletes backup mechanisms such as shadow copies to impede recovery. A distinctive feature of its operations is the distribution of ransom notes through network-connected printers.
Initial Access & Privilege Escalation – Lynx Ransomware Deployment
This stage begins with the deployment of the Lynx ransomware, which, once operational, attempts to detect the presence of a debugger through the IsDebuggerPresent Windows API. Following this, Lynx enables the SeTakeOwnershipPrivilege via the AdjustTokenPrivileges API, allowing it to assume ownership of secured objects regardless of existing access permissions.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Virtualization/Sandbox Evasion (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.
Access Token Manipulation (T1134): This scenario enables the SeTakeOwnershipPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Discovery – System and Network Reconnaissance
This stage begins with system information discovery using the GetSystemInfo API. Next, it enumerates processes through CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs, while simultaneously collecting information on active services via the QueryServiceStatusEx and EnumDependentServices APIs.
Subsequently, Lynx performs network resource discovery using WNetOpenEnumW and WNetEnumResourceW APIs, and ultimately exfiltrates the gathered information through HTTP POST requests.
System Information Discovery (T1082): This scenario executes the GetSystemInfo Native API call to retrieve information associated to the system.
Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
System Service Discovery (T1007): This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information pertaining to a given service.
System Network Connections Discovery (T1049): This scenario executes the WNetOpenEnumW and WNetEnumResourceW Windows API calls to enumerate network resources from the local computer.
Exfiltration Over C2 Channel (T1041): This scenario simulates the exfiltration of sensitive data by transmitting a text file with password patterns through HTTP POST requests.
Exfiltration & Impact – Lynx Ransomware Encryption
This stage begins with system volume discovery through the FindFirstVolumeW and FindNextVolumeW APIs, followed by determining the drive types using GetDriveTypeW. It then proceeds to enumerate files across accessible volumes via the FindFirstFileW and FindNextFileW APIs. Finally, Lynx encrypts the identified files using a combination of AES-256 in CBC mode for file encryption with RSA-2048 for key encryption. Once completed, it will enumerate every printer connected to the system through the EnumPrintersW API.
System Information Discovery (T1082): This scenario executes the FindFirstVolumeW and FindNextVolumeW Windows API calls to iterate through the available volumes of the system.
System Information Discovery (T1082): This scenario executes the GetDriveTypeW Windows API call to retrieve information regarding the system’s physical drives.
File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Lynx ransomware.
Peripheral Device Discovery (T1120): This scenario enumerates printers connected to the compromised system.
Malware Emulation – SafePay
SafePay Ransomware – 2025-06 – Associated Tactics, Techniques and Procedures (TTPs)
This emulation replicates the sequence of behaviors associated with the deployment of SafePay ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.
SafePay is a ransomware strain that emerged in September 2024 and has since expanded rapidly, affecting more than 200 organizations worldwide. Its objectives include Managed Service Providers (MSPs) and Small-to-Midsize Businesses (SMBs) across diverse sectors. Since 2025, SafePay has escalated its activities, with campaigns heavily concentrated on objectives in the United States, the United Kingdom, and Germany.
It remains unclear whether SafePay represents an entirely new ransomware strain or a rebranded continuation of an existing operation. Technical overlaps indicate similarities to the LockBit ransomware family, particularly LockBit 3.0, also known as “LockBit Black”, whose builder source code was leaked in 2022 and subsequently fueled the emergence of numerous derivatives. Beyond these similarities, SafePay incorporates features associated with other prominent groups, including ALPHV and INC ransomware.
Execution & Privilege Escalation – SafePay Ransomware Deployment
This stage begins with the deployment of the SafePay ransomware which is executed through regsvr32.exe. Once operational, SafePay enables the SeDebugPrivilege via the AdjustTokenPrivileges Windows API, which grants the capability to interact with and manipulate protected processes.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
System Binary Proxy Execution: Regsvr32 (T1218.010): This scenario executes the RegSvr32 Windows utility to register a Common Object Model (COM) DLL and execute its exported DllRegisterServer function.
Access Token Manipulation (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.
Discovery & Impact – SafePay Ransomware Encryption
This stage begins with process enumeration using the CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW Windows APIs. It then enumerates logical drives via GetLogicalDrive, discovers volumes with FindFirstVolumeW and FindNextVolumeW, and determines drive types through GetDriveTypeW. Following this, drive-specific attributes are subsequently retrieved using DeviceIoControl with the IOCTL_STORAGE_QUERY_PROPERTY control code. File enumeration across accessible volumes is performed through FindFirstFileW and FindNextFileW.
Finally, SafePay deletes existing Volume Shadow Copies through a Windows Management Instrumentation (WMI) command before proceeding with the encryption of the identified files.
Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
System Information Discovery (T1082): This scenario executes the GetLogicalDrives Windows API call to retrieve the currently available disk drives.
System Information Discovery (T1082): This scenario executes the FindFirstVolumeW and FindNextVolumeW Windows API calls to iterate through the available volumes of the system.
System Information Discovery (T1082): This scenario executes the GetDriveTypeW Windows API call to retrieve information regarding the system’s physical drives.
System Information Discovery (T1082): This scenario executes the DeviceIoControl API with the IOCTL_STORAGE_QUERY_PROPERTY argument to retrieve system drive information, such as the serial number, to profile the target’s system.
File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.
Inhibit System Recovery (T1490): This scenario executes the wmic shadowcopy delete command to delete a Volume Shadow Copy created by the emulation.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by multiple ransomware strains.
Wrap-up
In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by INC, Lynx and SafePay ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ®, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
