Ddos 
Ransom note README.txt Image: CYFIRMA
A new ransomware strain dubbed Lyrix has been discovered by CYFIRMA’s research team while monitoring underground cybercriminal forums. This Windows-targeting malware, written in Python and compiled with PyInstaller, showcases a concerning blend of anti-analysis tactics, privilege escalation, and data destruction.
“Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files,” CYFIRMA stated. “Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove.”
Lyrix ransomware first appeared in the wild on April 20, 2025, distributed as a Win32 executable named Encryptor.exe. Weighing in at over 20MB, the binary is unsigned, utilizes a standard MZ header, and leverages a wide arsenal of Windows API calls to achieve stealth and persistence.
Once deployed, Lyrix initiates a 256-bit AES encryption routine, then encrypts the AES key itself with a hardcoded RSA public key—a hallmark of modern ransomware cryptographic layering. The encrypted key is saved in the ProgramData directory under the name 02dq34jR0u.key, and all encrypted files are renamed with the .02dq34jROu extension.
What makes Lyrix particularly insidious is its comprehensive use of anti-analysis and anti-recovery techniques:
- Anti-VM: It uses VirtualProtect to detect virtual environments.
- Sandbox evasion: Sleep functions delay analysis.
- Obfuscation: GetStartupInfoW and GetWindowLongPtrW are used to hide visible behaviors.
- System hardening against recovery:
- Deletes shadow copies using vssadmin delete shadows /all /quiet
- Executes wmic shadowcopy delete to reinforce data wipe
- Modifies the boot configuration with bcdedit /set {default} bootstatuspolicy ignoreallfailures
- Disables the Windows Recovery Environment with bcdedit /set {default} recoveryenabled no
“These commands are intended to cripple the system’s built-in recovery features, forcing the user to either pay the ransom or lose access to their encrypted files permanently,” CYFIRMA explained.
Lyrix leaves behind a README.txt file in each affected directory, warning victims that their data has been “encrypted and stolen.” The note offers to decrypt two files for free as proof, while threatening to leak stolen data unless a ransom is paid. Communication is facilitated through a ProtonMail address created in April 2025, suggesting the actor behind Lyrix is relatively new.
“They warn against using third-party recovery tools… and threaten to publicly release a portion of the stolen data if payment is not made,” the report noted.
“Ongoing user education about the dangers of downloading executables from untrusted sources” is critical, CYFIRMA stressed, along with robust endpoint protection and timely patch management.
Donate