Lyrix Ransomware: A Python-Built Threat Operating Like Special Forces
CYFIRMA’s research team has uncovered a new malware strain—Lyrix Ransomware—developed in Python and compiled using PyInstaller to run as a standalone Windows executable. This approach bundles all dependencies into a single file, facilitating its distribution. Lyrix employs strong encryption and unique evasion techniques, making it particularly dangerous and difficult to remove. Its activity was first detected on April 20, 2025.
According to experts, the malware disguises its malicious behavior, bypasses signature-based detection, encrypts user files, and threatens data leaks. Each encrypted file is given the extension ".02dq34jROu", while the encrypted keys are stored in the ProgramData system directory under a file with the same name. Decryption without the attackers' private key is impossible.
Lyrix Ransomware executes under the guise of Encryptor.exe (size: 20.43 MB), using the standard Win32 EXE format with an "MZ" header. It lacks a digital signature, further complicating antivirus blocking. Upon infection, the malware scans user directories—Downloads, Documents, Desktop, Pictures, Music, and Videos—selectively encrypting popular file formats like DOCX, PDF, XLS, and JPG. Executables, DLLs, and shortcuts remain untouched to avoid system disruption and early detection.
Encryption & Persistence Mechanisms
- Generates a unique AES key, encrypting it with an embedded RSA public key.
- Deletes shadow copies using:
cmd
vssadmin delete shadows /all /quiet
wmic shadowcopy delete - Modifies Windows boot configuration to disable error messages and recovery:
cmd
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
Evasion & Anti-Analysis Techniques
Lyrix employs multiple anti-virtualization and anti-analysis tricks, including:- VirtualProtect, Sleep, GetCurrentProcess, TerminateProcess
- GetStartupInfoW, GetWindowLongPtrW, ShutdownBlockReasonCreate
- Script execution, process injection
- Artifact hiding, credential manipulation
Mitigation & Defense Recommendations
- Block execution from temp directories via AppLocker/SRP.
- Restrict access to vssadmin, wmic, bcdedit, and other system tools.
- Enhance email security with attachment filtering.
- Deploy modern EDR solutions to detect mass file encryption/renaming.
- Conduct regular employee training, including phishing simulations.
- Maintain and test incident response plans.
- Isolate infected systems immediately upon detection.
- Preserve artifacts for forensic analysis; do not delete encrypted files.
- Never pay the ransom—no guarantee of recovery.
Stay vigilant—Lyrix is a silent but deadly threat.
