{
	"id": "279ef626-b1c8-47a2-9261-433cb8b2560e",
	"created_at": "2026-04-06T00:11:47.793936Z",
	"updated_at": "2026-04-10T03:22:10.859268Z",
	"deleted_at": null,
	"sha1_hash": "e6ad50610e7fbcbe8aa981c3d6f2323f7a1909f0",
	"title": "LCRYX Ransomware: How a VB Ransomware Locks Your System",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2119438,
	"plain_text": "LCRYX Ransomware: How a VB Ransomware Locks Your System\r\nPublished: 2025-02-24 · Archived: 2026-04-05 23:45:45 UTC\r\nRansomware attacks continue to pose a significant threat to both individuals and organizations. One such threat,\r\nLCRYX ransomware, written in VBScript, has recently resurfaced. First emerging in November 2024, it\r\ndemanded a ransom of $500 in bitcoins to decrypt files encrypted with the ‘.lcryx’ extension. The ransomware has\r\nmade a return in February 2025. A peer and researcher recently shared insights about this ransomware on their\r\nLinkedIn Profile. In this blog, we will conduct an in-depth analysis of the VB script, providing more details\r\non its latest activity.\r\nFig.1: First seen in the wild\r\nThe script begins by checking whether it is running with administrative privileges. If not, it relaunches itself with\r\nthe necessary privileges for the next steps. Additionally, error handling is enabled at the start of execution,\r\nallowing the script to continue running even if it encounters errors during its process.\r\nFig.2: Running with admin privileges\r\nIt then proceeds to make several changes to the Windows registry so as to block user control and for its\r\npersistence. It disables tools like Task Manager, Command Prompt, and the Registry Editor, and also blocks\r\naccess to the Control Panel. The code turns off User Account Control (UAC) and admin prompts, letting the\r\nmalware run with elevated privileges. It also disables the inactivity timeout, ensuring the system stays open for\r\nfurther actions.\r\nFig.3: Disabling tools with registries\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 1 of 11\n\nFig.4: Disabling inactivity timeout\r\nIt also prevents users from running tools like msconfig.exe, Autoruns.exe, gpedit.msc, SystemSettings.exe, and\r\nprocexp.exe, making it harder to manage start up items or stop the malware from executing.\r\nFig.5: Disallowing tools to execute\r\nTo ensure persistence, the code sets the malicious script as the default shell, causing it to run at login, and also\r\nconfigures it as the debugger for cmd.exe, making sure the script executes every time command prompt is opened.\r\nAdditionally, it modifies the registry to set the script as the handler for HTTP and HTTPS links, ensuring that the\r\nscript runs whenever web links are clicked or the system shell is accessed, allowing the malware to maintain\r\ncontrol over the system.\r\nFig.6: Creating persistence for script\r\nThe code uses WMI to terminate key system processes (Taskmgr.exe, cmd.exe, msconfig.exe, regedit.exe) to\r\nprevent users from managing or stopping the malware.\r\nFig.7: Terminating processes\r\nIt modifies the registry to remap keyboard keys and swap mouse buttons, disrupting user input. It applies these\r\nchanges immediately, making it harder for users to interact with the system and helping the malware maintain\r\ncontrol.\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 2 of 11\n\nFig.8: Swapping mouse movements and updating the changes\r\nIt changes the file attributes to Hidden, System, and Read-only, making it harder to detect, modify, or delete the\r\nfile.\r\nFig.9: Changing file attributes\r\nIt runs a PowerShell command that reads an image file and overwrites the MBR of disk drives with its content. \r\nFig.10: Overwriting MBR [Master Boot Record]\r\nThe code disables real-time monitoring of Windows Defender, Bitdefender Antivirus, and Kaspersky Anti-Virus\r\nby running commands to turn off their protection features. This allows malware to bypass security measures and\r\noperate undetected on the system.\r\nFig.11: Disabling Real Time Monitoring\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 3 of 11\n\nFig.12: Extension for encrypted files\r\nIt defines a function IsLegacyWindows() to check if the system is running an older Windows version (prior to\r\nversion 6.0). If so, it retrieves various special folder paths for potential file manipulation or malware persistence.\r\nFig.13: Checking OS version\r\nThe GenerateRandomKey(length) function creates a random alphanumeric string by selecting characters from a\r\npredefined set. It loops through the specified length, adding a random character to the key in each iteration, which\r\nwas later used as key for the encryption process.\r\nFig.14: Random Key generator for encryption\r\nThe code checks if the file path matches certain conditions, like specific filenames. If it does, the script stops.\r\nOtherwise, it encrypts the file using Caesar cipher and XOR encryption, saves it with a new extension, deletes the\r\noriginal file, and opens the encrypted file in Notepad.\r\nFig.15: Checking specific files with these names before encryption\r\nFig.16: Function for encrypting the files\r\nFig.17: XOR encryption function\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 4 of 11\n\nFig.18: CaserEncryptDecrypt function\r\nFig.19: Deletes the file and opens the encrypted file with “Notepad.exe”\r\nIt iterates through these following folders in the system and it checks for any external drivers in its iteration for\r\nencrypting the files.\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 5 of 11\n\nFig.20: Iteration through folders\r\nFig.21: Function to check external drivers\r\nAfter that it deletes backup files with specific extensions (.bak,  .backup, .old) from a folder and its subfolders,\r\nand another that removes shadow copies and backup catalogs. It uses vssadmin to delete shadow copies and\r\nwbadmin to clear the backup catalog, effectively erasing backup traces from the system.\r\nFig.22: Deletes the backup files\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 6 of 11\n\nFig.23: Deleting shadow copies\r\nThen it generates a ransom note on the desktop, in which it asks the user to visit a website and pay a ransom in\r\nbitcoin for file decryption.\r\nFig.24: Writing ransom note\r\nThis VBScript automatically downloads an image from a provided URL and sets it as the desktop wallpaper, but\r\nonly if an internet connection is detected. It includes checks for connectivity, downloading the file to the desktop,\r\nand updating the wallpaper registry setting. The script also handles errors and alerts the user if something goes\r\nwrong.\r\nFig.25: Functions for setting up wallpaper\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 7 of 11\n\nFig.26: Background image\r\nThen it creates three files: one batch file and two VBScript files. It then adds content to these files and creates\r\npersistence by adding registry entries to ensure these files are executed on system start up, allowing for further\r\nactions upon their execution.\r\nFig.27: Creating and assigning file paths of  “.bat” and “.vbs” files\r\nThen it adds content to the batch file that runs in a loop three times. In some variants each time, it opens the\r\ncalculator (calc) and command prompt (cmd) while in some other variants it makes connections to some malicious\r\nurls which are shown in Fig.28. The script sets up the loop and commands to execute repeatedly, with no output\r\nshown during execution. Then it creates persistence for the batch file and in some variants, it also creates random\r\ndirectories and keeps this batch file in those randomly generated folders.\r\nFig.28: Batch file having malicious URLs\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 8 of 11\n\nFig.29: Batch file having content to start “calc” and “cmd”\r\nFig.30: Creating random directories for keeping bat file\r\nThen it creates a VBScript which runs in a loop, for displaying a message claiming that files have been encrypted.\r\nIt asks the user if they want to decrypt their files. If the user clicks “Yes,” it runs a command, opens a YouTube\r\nvideo, and shows the user’s IP address. The script keeps repeating the process. It also creates the persistence by\r\nmaking changes in the registry entries for this VBScript file.\r\nFig.31: Script in first VB file\r\nFig.32: Message Box\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 9 of 11\n\nIn another, VBScript it repeatedly shuts down important programs like Task Manager, PowerShell, and AntiVirus\r\nsoftware. It uses the taskkill command to close these programs every 5 seconds in a never-ending loop. The script\r\ntargets tools like AntiVirus programs and system settings, making it potentially harmful. For this VBScript file\r\nalso it creates the persistence by making changes in the registry entries.\r\nFig.33: Script in second VB file\r\nThen it runs these newly created files with these commands as shown in Fig.33.\r\nFig.34: Commands to run the scripts\r\nFig.35: Encrypted file\r\nWith the increasing risk of ransomware attacks, it’s important to take steps to protect your data. Using a reliable\r\nsecurity solution like K7 Total Security and keeping it updated is crucial to defend against these threats.\r\nIOCs\r\nHash Detection Name\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 10 of 11\n\n57D4D27F915A6352918C878450582F44 Ransomware (005a7a3d1)\r\n5999A77CF9015AF51938E162584A37BC Ransomware (005a7a3d1)\r\nSource: https://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nhttps://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/"
	],
	"report_names": [
		"lcryx-ransomware-how-a-vb-ransomware-locks-your-system"
	],
	"threat_actors": [],
	"ts_created_at": 1775434307,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6ad50610e7fbcbe8aa981c3d6f2323f7a1909f0.pdf",
		"text": "https://archive.orkl.eu/e6ad50610e7fbcbe8aa981c3d6f2323f7a1909f0.txt",
		"img": "https://archive.orkl.eu/e6ad50610e7fbcbe8aa981c3d6f2323f7a1909f0.jpg"
	}
}