You arrive on the workplace, energy up your system, and panic units in. Each file is locked, and each system is frozen. A ransom demand flashes in your display screen: “Pay $2 million in Bitcoin inside 48 hours or lose the whole lot.”
And the worst half is that even after paying, there is no assure you may get your knowledge again. Many victims hand over the cash, solely to obtain nothing in return, or worse, get hit once more.
This is not a uncommon case. Ransomware assaults are crippling companies worldwide, from hospitals and banks to small corporations. The one approach to cease the injury is by proactively analyzing suspicious recordsdata and hyperlinks earlier than they are often executed.
Under, we break down the highest three ransomware households lively in 2025: LockBit, Lynx, and Virlock, and learn the way interactive evaluation helps companies detect and cease them earlier than it is too late.
LockBit: Teasing a Comeback in 2025
LockBit is without doubt one of the most infamous ransomware teams, recognized for its extremely environment friendly encryption, double extortion ways, and talent to evade conventional safety measures. Working underneath a Ransomware-as-a-Service (RaaS)mannequin, it allows associates to distribute the malware, resulting in widespread assaults throughout numerous industries.
Newest assaults and exercise:
- London Medication (Might 2024): LockBit focused Canadian retailer London Medication, forcing the closure of all its places throughout Canada. Hackers demanded $25 million, leaking some worker knowledge after the corporate refused to pay.
- College Hospital Middle, Zagreb (June 2024): Disrupted Croatia’s largest hospital, forcing workers to revert to guide operations whereas attackers claimed to have exfiltrated medical information.
- Evolve Financial institution & Belief (June 2024): Breached delicate monetary knowledge, with hackers falsely claiming to have Federal Reserve data. The assault raised issues resulting from Evolve’s ties with main fintech corporations.
LockBit pattern:
Let’s take a more in-depth have a look at a LockBit ransomware pattern inside ANY.RUN’s safe sandbox to find its key behaviors.
View evaluation session
 |
| File icons modified inside ANY.RUN sandbox |
Contained in the Interactive Sandbox, we discover the very first thing that stands out: file icons altering to the LockBit emblem. That is a direct signal of ransomware an infection.
Uncover ransomware ways in real-time and forestall expensive breaches earlier than they occur.
Strive ANY.RUN free for 14 days
That is adopted by a ransom word contained in the sandbox, stating that your recordsdata have been stolen and encrypted. The message is evident: Pay the ransom, or the info will likely be revealed on a TOR web site.
 |
| Ransom word displayed inside safe surroundings |
On the proper facet of the display screen, we see an in depth breakdown of each course of LockBit executes to assault the system.
 |
| Course of tree demonstrates the behaviors of LockBit |
By clicking on any course of, safety groups can analyze the precise ways used within the assault.
 |
| Detailed breakdown of processes inside Interactive Sandbox |
The sort of evaluation is necessary for companies because it permits them to grasp how ransomware spreads, determine weak factors of their safety, and take proactive steps to dam comparable threats earlier than they trigger monetary and operational injury.
For a extra in-depth breakdown of the assault ways, you can even click on on the ATT&CK button within the upper-right nook of the sandbox. This offers detailed insights into every tactic, serving to groups fine-tune their defenses and strengthen response methods.
 |
| MITRE ATT&CK ways and strategies detected by ANY.RUN |
On this case, we see LockBit utilizing a number of harmful strategies:
- Gaining larger privileges by bypassing safety controls.
- Extracting saved credentials from recordsdata and internet browsers.
- Scanning the system to assemble data earlier than encrypting recordsdata.
- Encrypting knowledge to lock down vital enterprise operations.
New assault warning in 2025:
Regardless of regulation enforcement actions, LockBit continues to pose a big risk for 2025. The group’s alleged chief, generally known as LockBitSupp, has warned of latest ransomware assaults launching this February. This implies companies can not afford to let their guard down.
Lynx: The Rising Menace to Small and Mid-Sized Companies
Lynx is a comparatively new ransomware group that surfaced in mid-2024 and rapidly constructed a fame for its extremely aggressive method. In contrast to bigger ransomware gangs that target company giants, Lynx intentionally goes after small and mid-sized companies throughout North America and Europe, making the most of weaker safety measures.
Their technique depends on double extortion. They do not simply encrypt recordsdata but additionally threaten to leak stolen knowledge on each public web sites and darkish internet boards if victims refuse to pay. This forces companies into an unattainable alternative: pay the ransom or danger having confidential knowledge, monetary particulars, and buyer information uncovered on-line.
Newest Lynx assault:
In mid-January 2025, Lynx focused Lowe Engineers, a distinguished civil engineering agency primarily based in Atlanta, Georgia. The assault led to the exfiltration of delicate knowledge, together with confidential venture data and shopper particulars. Given the agency’s involvement in vital infrastructure tasks, this breach raised important issues about potential impacts on federal and municipal contracts.
Lynx pattern:
Because of ANY.RUN’s Interactive Sandbox, we are able to analyze the complete assault chain of Lynx ransomware in a managed digital surroundings, with out risking actual methods.
View sandbox evaluation of Lynx
The second we add and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the ransomware instantly begins encrypting recordsdata and modifications their extensions to .LYNX.
 |
| The Information Modification tab offers the modifications of file system exercise |
Shortly after, a ransom word seems, and the desktop wallpaper is changed with an extortion message directing victims to a TOR web site, the place attackers demand cost.
 |
| Lynx ransomware altering the wallpaper inside ANY.RUN sandbox |
Contained in the ANY.RUN sandbox, we are able to manually open the README.txt dropped by Lynx to view the ransom message precisely as a sufferer would.
 |
| The ransom word consists of .onion hyperlinks that direct victims to the attackers’ communication portal |
Within the MITRE ATT&CK part, we get a transparent breakdown of Lynx’s ways and strategies, revealing the way it operates:
 |
| MITRE ATT&CK ways and strategies utilized by Lynx ransomware |
- Encrypting recordsdata to lock vital enterprise knowledge.
- Renaming recordsdata to imitate different ransomware strains.
- Querying the registry to scan for system particulars and safety software program.
- Studying CPU data to evaluate the goal surroundings.
- Checking software program insurance policies to find out safety settings earlier than continuing.
Virlock: A Self-Replicating Ransomware That Will not Die
Virlock is a novel ransomware pressure that first emerged in 2014. In contrast to typical ransomware, Virlock not solely encrypts recordsdata but additionally infects them, turning every right into a polymorphic file infector. This twin functionality permits it to unfold quickly, particularly via cloud storage and collaboration platforms.
Current assaults:
In latest analyses, Virlock has been noticed spreading stealthily by way of cloud storage and collaboration apps. When a consumer’s system is contaminated, Virlock encrypts and infects recordsdata, that are then synced to shared cloud environments.
Collaborators who entry these shared recordsdata inadvertently execute the contaminated recordsdata, resulting in additional unfold inside the group.
Virlock pattern:
Let’s analyze Virlock’s habits utilizing a real-time pattern inside ANY.RUN’s sandbox.
View sandbox evaluation of Virlock
 |
| Virlock ransomware inside VM |
Identical to LockBit and Lynx, Virlock drops a ransom word upon execution. Nonetheless, this time, it calls for cost in Bitcoin, a typical tactic amongst ransomware operators.
On this particular pattern, Virlock asks for the equal of $250 in Bitcoin, threatening to completely delete recordsdata if the ransom is not paid.
Curiously, the ransom word would not simply demand cost. It additionally features a information on Bitcoin, explaining what it’s and the way victims can purchase it for cost.
 |
| Ransom word demanding BitCoin left by Virlock |
Throughout execution, ANY.RUN detects a number of malicious actions, revealing how Virlock operates:
 |
| Conduct of Virlock ransomware analyzed by Interactive Sandbox |
- A Virlock-specific mutex is recognized, serving to the malware guarantee just one occasion runs at a time to keep away from interference.
- Virlock executes instructions via batch (.bat) recordsdata, launching CMD.EXE to carry out malicious actions.
- The ransomware modifies the Home windows registry utilizing REG/REGEDIT.EXE, prone to set up persistence or disable security measures.
Every sandbox session in ANY.RUN robotically generates an in depth report that may be simply shared inside an organization. These studies are formatted for additional evaluation, serving to safety groups collaborate and develop efficient methods to fight ransomware threats in 2025.
 |
| Generated report by ANY.RUN sandbox |
Ransomware in 2025: A Rising Menace You Can Cease
Ransomware is extra aggressive than ever, disrupting companies, stealing knowledge, and demanding thousands and thousands in ransom. The price of an assault consists of misplaced operations, broken fame, and stolen buyer belief.
You’ll be able to cease ransomware earlier than it locks you out. By analyzing suspicious recordsdata in ANY.RUN’s Interactive Sandbox, you get real-time insights into malware habits, with out risking your methods.
Strive ANY.RUN free for 14 days to proactively determine cyber threats to your online business earlier than it is too late!
