Back in March I reversed Lynx ransomware (SHA256: 0315dbb...) after seeing multiple vendor reports claiming phishing distribution with built-in double extortion.

Binary analysis contradicted this: - Zero network imports - No exfiltration code - CLI operator flags (--kill, --stop-processes, --encrypt-network) - Verbose logging to stderr - Zero obfuscation (trivial to reverse, but also instant AV detection)

Conclusion: Post-exploitation tool, not phishing payload.

Fast forward to last week: Same group breaches Dodd Group (UK MoD contractor), 4TB exfil over 3+ weeks, then deploys encryptor. Exactly the deployment model the binary characteristics suggested.