Ddos 
Ransom note README.txt Image: CYFIRMA
A new ransomware strain dubbed Lyrix has been discovered by CYFIRMAβs research team while monitoring underground cybercriminal forums. This Windows-targeting malware, written in Python and compiled with PyInstaller, showcases a concerning blend of anti-analysis tactics, privilege escalation, and data destruction.
βLyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files,β CYFIRMA stated. βIts advanced evasion techniques and persistence mechanisms make it challenging to detect and remove.β
Lyrix ransomware first appeared in the wild on April 20, 2025, distributed as a Win32 executable named Encryptor.exe. Weighing in at over 20MB, the binary is unsigned, utilizes a standard MZ header, and leverages a wide arsenal of Windows API calls to achieve stealth and persistence.
Once deployed, Lyrix initiates a 256-bit AES encryption routine, then encrypts the AES key itself with a hardcoded RSA public keyβa hallmark of modern ransomware cryptographic layering. The encrypted key is saved in the ProgramData directory under the name 02dq34jR0u.key, and all encrypted files are renamed with the .02dq34jROu extension.
What makes Lyrix particularly insidious is its comprehensive use of anti-analysis and anti-recovery techniques:
- Anti-VM: It uses VirtualProtect to detect virtual environments.
- Sandbox evasion: Sleep functions delay analysis.
- Obfuscation: GetStartupInfoW and GetWindowLongPtrW are used to hide visible behaviors.
- System hardening against recovery:
- Deletes shadow copies using vssadmin delete shadows /all /quiet
- Executes wmic shadowcopy delete to reinforce data wipe
- Modifies the boot configuration with bcdedit /set {default} bootstatuspolicy ignoreallfailures
- Disables the Windows Recovery Environment with bcdedit /set {default} recoveryenabled no
βThese commands are intended to cripple the systemβs built-in recovery features, forcing the user to either pay the ransom or lose access to their encrypted files permanently,β CYFIRMA explained.
Lyrix leaves behind a README.txt file in each affected directory, warning victims that their data has been βencrypted and stolen.β The note offers to decrypt two files for free as proof, while threatening to leak stolen data unless a ransom is paid. Communication is facilitated through a ProtonMail address created in April 2025, suggesting the actor behind Lyrix is relatively new.
βThey warn against using third-party recovery toolsβ¦ and threaten to publicly release a portion of the stolen data if payment is not made,β the report noted.
βOngoing user education about the dangers of downloading executables from untrusted sourcesβ is critical, CYFIRMA stressed, along with robust endpoint protection and timely patch management.
Related Posts:
- Zloader Reloaded: Malware Adopts Evasive Anti-Analysis Tactics
- Unit 42’s Insight: The Sophisticated Evasion Tactics of GuLoader and RedLine Stealer
- Raspberry Robinβs Stealth Tactics: USB Infections, Exploits, and Advanced Obfuscation Unveiled
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
