The LCRYX ransomware, a VBScript-based menace, has made a notable comeback in February 2025, following its initial emergence in November 2024. This sophisticated threat is notorious for encrypting files with the .lcryx extension and demanding a ransom of 0 in Bitcoin for decryption. Its evolution has introduced advanced techniques that allow it to effectively lock down Windows systems while evading detection.
Disabling System Tools and Elevating Privileges
Upon activation, LCRYX ensures it operates with administrative privileges, even relaunching itself if necessary. Once it gains a foothold, the ransomware disables essential system tools, including Task Manager, Command Prompt, and Registry Editor, by altering Windows registry settings. It further restricts access to the Control Panel and disables User Account Control (UAC) prompts, enabling uninterrupted execution of its malicious commands.
To complicate user recovery efforts, LCRYX prevents the execution of diagnostic tools such as msconfig.exe, gpedit.msc, and procexp.exe. Additionally, it disables inactivity timeouts, keeping the system active for its operations.
Persistence Mechanisms and File Encryption
LCRYX ensures its persistence by setting itself as the default shell and debugger for critical system processes like cmd.exe. It modifies registry settings to act as the handler for HTTP and HTTPS links, guaranteeing execution whenever web links are accessed. The malware also remaps keyboard keys and swaps mouse buttons, further disrupting user interactions.
For encryption, LCRYX utilizes a combination of Caesar cipher and XOR encryption techniques, replacing original files with encrypted versions while eliminating backups and shadow copies through vssadmin and wbadmin commands. According to a report from K7 Security Labs, these methods render recovery through conventional means nearly impossible.
Employing Windows Management Instrumentation (WMI), LCRYX regularly terminates essential processes such as Task Manager and Registry Editor. It executes PowerShell commands to overwrite the Master Boot Record (MBR) of disk drives with malicious content, making the system unbootable without specialized recovery tools.
To evade detection, LCRYX disables real-time monitoring features of popular antivirus solutions, including Windows Defender, Bitdefender, and Kaspersky. It also conceals its files by setting their attributes to “Hidden,” “System,” and “Read-only.” After encrypting files, the ransomware generates a ransom note on the desktop, directing victims to a specific website for payment in Bitcoin in exchange for decryption keys.
In certain variants, the malware adds psychological pressure by displaying pop-ups that reveal the victim’s IP address or by launching unrelated applications like Calculator. The resurgence of LCRYX ransomware serves as a stark reminder of the increasing sophistication of VBScript-based threats. Its capacity to disable security measures, effectively encrypt files, and disrupt system functionality emphasizes the critical need for robust cybersecurity defenses.
Users are encouraged to implement comprehensive security solutions such as K7 Total Security and to maintain regular backups to mitigate risks associated with such attacks.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
