FOCUS MODE
EXTRACT IOC
Threat Research

LCRYX Ransomware: How a VB Ransomware Locks Your System

K7computing
LCRYX Ransomware: How a VB Ransomware Locks Your System
The article discusses the resurgence of LCRYX ransomware, a VBScript-based malware that encrypts files with the ‘.lcryx’ extension and demands a ransom for decryption. Key features of its operation include elevating privileges, blocking user controls, modifying the Windows registry, and encrypting files while deleting backup traces. Affected: LCRYX ransomware, Windows operating system, individuals, organizations

Keypoints :

  • LCRYX ransomware re-emerged, targeting individuals and organizations.
  • It demands a ransom of 0 in bitcoins.
  • The ransomware first appeared in November 2024 and returned in February 2025.
  • It elevates privileges to execute its tasks without user intervention.
  • The script modifies the Windows registry to ensure persistence and prevent user management of key tools.
  • Security features of Windows Defender and other antivirus programs are disabled.
  • The malware employs encryption methods, including Caesar cipher and XOR encryption.
  • It deletes backup files and shadow copies to eliminate recovery options.
  • A ransom note is generated on the user’s desktop, demanding payment for decryption.
  • Multiple VBScript and batch files are created to facilitate further malicious actions.

MITRE Techniques :

  • TA0002: Execution – The ransomware executes by relaunching with administrative privileges.
  • TA0022: Credential Dumping – The code checks for admin privileges to escalate access rights.
  • TA0003: Persistence – Modifies the Windows registry to set the script as the default shell and executes on startup.
  • TA0005: Defense Evasion – Disables Windows security features and blocks tools like Task Manager.
  • TA0006: Credential Access – Uses functions to check operating system versions for potential file manipulation.
  • TA0007: Command and Control – Fetches an image file over the internet to use as wallpaper.
  • TA0008: Impact – Encrypts user files while deleting backups, resulting in significant data loss.

Indicator of Compromise :

  • MD5 57D4D27F915A6352918C878450582F44 (Trojan)
  • MD5 5999A77CF9015AF51938E162584A37BC (Trojan)

Full Story: https://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/

Views: 42

Tags: CREDENTIAL, DEFENSE EVASION, WINDOWS, TROJAN, BACKUP, IMPACT, VIRUS, PERSISTENCE