The LCRYX ransomware, a malicious VBScript-based program, has re-emerged as a significant threat to Windows systems.
Initially detected in November 2024, this ransomware encrypts files with the “.lcryx” extension and demands a $500 Bitcoin ransom for decryption.
After a brief hiatus, it has resurfaced in February 2025 with enhanced capabilities, targeting critical system functionalities to maintain control over infected machines.
Disabling Core System Tools for Persistence
The ransomware begins by ensuring it runs with administrative privileges, relaunching itself if necessary.
Once active, it modifies the Windows registry to disable essential tools like Task Manager, Registry Editor, Command Prompt, and Control Panel.
These changes prevent users from managing or terminating the malware.
Additionally, it disables User Account Control (UAC) prompts and inactivity timeouts, allowing the ransomware to operate unobstructed.
To further complicate recovery efforts, the script blocks the execution of diagnostic tools such as msconfig.exe and Autoruns.exe.
It also sets itself as the default shell and debugger for cmd.exe, ensuring its execution during every system login or command prompt interaction.
Moreover, it hijacks HTTP and HTTPS handlers to maintain persistent control.
Advanced Disruption Techniques
LCRYX employs several disruptive tactics to hinder user interaction.
It remaps keyboard keys and swaps mouse buttons through registry alterations, making system navigation difficult.
File attributes are modified to “Hidden,” “System,” and “Read-only,” concealing malicious files from detection or deletion.
The ransomware also disables real-time monitoring features of popular antivirus programs such as Windows Defender, Bitdefender, and Kaspersky Antivirus through targeted commands.
According to K7 Security Labs Report, this ensures its activities remain undetected by security software.
Using a combination of Caesar cipher and XOR encryption techniques, LCRYX encrypts files on the system after verifying specific conditions.
It renames the encrypted files with a “.lcryx” extension, deletes the originals, and generates a ransom note demanding payment in Bitcoin for decryption keys.
The malware takes additional steps to erase recovery options by deleting shadow copies and backup catalogs using vssadmin and wbadmin commands.
It also targets backup files with extensions like “.bak” and “.old,” ensuring no restoration points remain.
To maintain its presence on infected systems, LCRYX creates multiple batch files and VBScript files designed to execute malicious actions repeatedly.
These scripts display ransom messages, terminate critical processes like antivirus programs every five seconds, or open malicious URLs in some variants.
Registry entries are modified to ensure these scripts execute during every system startup.
In certain cases, the ransomware overwrites the Master Boot Record (MBR) with custom content using PowerShell commands, rendering systems inoperable until repaired.
Given its sophisticated techniques for persistence and disruption, LCRYX underscores the importance of robust cybersecurity measures.
Users are advised to deploy reliable security solutions like K7 Total Security and regularly update them to guard against emerging threats.
Additionally, maintaining offline backups can mitigate data loss in case of an attack.
.webp?w=1200&resize=1200,0&ssl=1&description=The LCRYX ransomware, a malicious VBScript-based program, has re-emerged as a significant threat to Windows systems.){kind=link}