A notorious ransomware gang claims that it has raided the UK’s hospital builder. Attackers linked to Russia claim to have stolen 4TB of secret data.
Lynx, the cybercriminal gang behind the alleged ransomware attack, has listed the well-known British construction company Dodd Group as a victim on its leak site on the dark web.
“Time is running out – you have the opportunity to resolve this matter before inevitable consequences unfold,” wrote the attackers.
Ransomware gangs often list the victims on their dark web leak sites, attempting to muscle organizations into paying a ransom or face dealing with a damaging leak of stolen data.
The attackers claim to have “quietly” extracted around 4TB of the company’s data, including material from “secured repositories.” To prove their claims, the attackers shared screenshots with stolen data samples.
Cybernews researchers looked at data samples released with the listing. The documents seem to include ledger contact information, and the exposed data includes the contact information of the client companies or their representatives.
The data samples also included financial documents, including payment comparisons, deferred payment records, and invoice logs.
It is not uncommon for ransomware gangs to share fake information or resurface old data from previous breaches. However, if the data proves to be legitimate, the affected individuals are at risk of social engineering attacks.
“For the company, it could damage trust for the clients and give a competitive disadvantage, because of exposed payment terms and pricing strategies,” Cybernews researchers said.
Cybernews has reached out to the company for confirmation, but a response is yet to be received.
Founded in 1947, Dodd Group provides housing maintenance solutions and designs and installs mechanical and electrical services on construction projects for all major sectors. Its reported revenue reaches £249.4 million.
The company is trusted by the UK’s public service providers, such as the National Health Service (NHS), which contracted it to build health centers and hospitals. According to the company’s website, it employs 1100 individuals.
What is Lynx ransomware?
Caught on the radar in mid-2024, the gang operates as ransomware-as-a-service (RaaS) and is known to target organizations in the finance, architecture, and manufacturing sectors.
Darktrace’s Threat Research teams also uncovered Lynx-related incidents targeting energy and retail sectors across the Middle East and Asia-Pacific (APAC) regions.
According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 196 victims since 2024, and is among the key players in the ransomware scene.
Among its alleged Lynx victims are Dollar Tree, America’s second-largest egg producer, Rose Acre Farms, and a major CBS affiliate, WDEF-TV.Just recently, Lynx claimed to have stolen data from the largest US sushi and seafood provider, the True World Group LCC.
Unit42 researchers have identified that Lynx’s malware shares significant portions of its source code with the INC ransomware variant, indicating the group likely repurposed readily available INC code to craft its own custom strain.
Lynx might be linked to Russia, as it actively recruits on Russian-speaking underground forums. Like many Russia-based cybercrime groups, Lynx explicitly states that it does not target organizations in Russia or other CIS countries.
Curious what others think about this story? Contribute your thoughts to the debate below.
This is a common tactic used by Russian threat actors to operate without interference from authorities within their home territory. On its leak site, Lynx gang claims that it has a clear intention to avoid undue harm to organizations. It claims to follow ethical policies and not target governmental institutions, hospitals, or non-profit organizations, as “these sectors play vital roles in society.”
“Our operational model encourages dialogue and resolution rather than chaos and destruction,” it says.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked