Lyrix Ransomware

CYFIRMA discovered Lyrix Ransomware, a Python-based malware targeting Windows systems with advanced evasion and encryption techniques. It appends the ‘.02dq34jROu’ extension to encrypted files and employs destructive commands to disable recovery mechanisms, demanding ransom while threatening data leaks. #LyrixRansomware #WindowsOS #AES256Encryption

Keypoints

Lyrix Ransomware is developed in Python, targeting Windows systems and distributes as a standalone executable compiled with PyInstaller.
It encrypts files using AES-256 encryption with a unique extension ‘.02dq34jROu’ and stores the encrypted key in the ProgramData folder.
The malware uses advanced evasion techniques such as anti-VM checks, process injection, obfuscation, and sandbox detection to avoid detection.
Lyrix deletes all Volume Shadow Copies and disables Windows Recovery Environment to prevent file recovery without paying ransom.
Ransom note “Readme.txt” threatens victims with data leakage and demands contact via a ProtonMail account active since April 2025.
CYFIRMA recommends mitigations including application control, least privilege access, disabling legacy utilities, and enhanced endpoint protection.
Indicators of compromise include known file hashes and file extensions which can be used for detection and blocking in security systems.

MITRE Techniques

[T1059] Command and Scripting Interpreter – Used to execute system commands such as deleting shadow copies and modifying boot configuration (‘vssadmin delete shadows /all /quiet’).
[T1129] Shared Modules – Utilization of shared modules for code execution and persistence.
[T1542.003] Pre-OS Boot: Bootkit – Modifies boot configuration to disable recovery features (‘bcdedit /set {default} recoveryenabled no’).
[T1574] Hijack Execution Flow – Injection into other processes to manipulate execution flow and evade defenses.
[T1055] Process Injection – Injects malicious code into legitimate processes to avoid detection.
[T1014] Rootkit – Employs rootkit techniques to hide presence and activities.
[T1027.002] Obfuscated Files or Information: Software Packing – Uses packing and obfuscation to evade static detection.
[T1036] Masquerading – Masquerades files and processes to blend in with legitimate system components.
[T1070.006] Indicator Removal: Timestomp – Alters file timestamps to hinder forensic analysis.
[T1202] Indirect Command Execution – Executes commands indirectly to bypass detection.
[T1497] Virtualization/Sandbox Evasion: System Checks – Uses VirtualProtect API to detect virtual environments.
[T1564.001] Hide Artifacts: Hidden Files and Directories – Hides encryption key file and other artifacts.
[T1564.003] Hide Artifacts: Hidden Files and Directories – Further conceals malicious files and directories.
[T1003] OS Credential Dumping – Attempts to obtain credentials from the operating system.
[T1552.001] Unsecured Credentials: Credentials In Files – Stores encrypted keys and credentials in files.
[T1057] Process Discovery – Enumerates system processes for target selection or evasion.
[T1082] System Information Discovery – Gathers system configuration details with GetStartupInfoW and related calls.
[T1083] File and Directory Discovery – Enumerates files with FindNextFileExW targeting specific extensions for encryption.
[T1518.001] Software Discovery: Security Software Discovery – Checks for presence of security products to evade or disable.

Indicators of Compromise

[File Hashes] Malicious Lyrix ransomware samples – fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b, d298fb4197d65eabf1ef427c2eb737f1, and 2 more hashes.
[File Names] Encrypted files extension – files appended with ‘.02dq34jROu’.
[File Names] Ransom note files named “Readme.txt” found in multiple directories.
[Email Address] ProtonMail contact used by attackers, created April 2025 as per investigation.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print