CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and compiled with PyInstaller — allowing it to run as a standalone executable with all dependencies—Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files. Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove. This discovery underscores the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data and reduce the risk of breaches.
Target Technologies Windows Operating System
Written In Python
Encrypted file extension Original file names appended with ‘.02dq34jROu’ extension
Observed First 2025-04-20
Problem Statement
Lyrix Ransomware targets Windows operating systems using advanced evasion and anti-analysis techniques to reduce the likelihood of detection. Its tactics include obfuscating malicious behavior, bypassing rule-based detection systems, employing strong encryption, issuing ransom demands, and threatening to leak stolen data on underground forums.
Lyrix Ransomware
Basic Details
Filename Encryptor.exe
Size 20.43 MB
Signed Not signed
File Type Win32 EXE
Timestamp Sun Apr 20 09:04:34 2025 (UTC)
SHA 256 Hash fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b
The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.
SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.
The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP's customers, including device names and configuration, users, and network connections.
The threat actors then attempted to steal data and deploy decryptors on customer networks, which were blocked on one of the networks using Sophos endpoint protection. However, the other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks.
Sophos has shared IOCs related to this attack to help organizations better defend their networks.
MSPs have long been a valuable target for ransomware gangs, as a single breach can lead to attacks on multiple companies. Some ransomware affiliates have specialized in tools commonly used by MSPs, such as SimpleHelp, ConnectWise ScreenConnect, and Kaseya.
This has led to devastating attacks, including REvil's massive ransomware attack on Kaseya, which impacted over 1,000 companies.
Key Takeaways
DragonForce ransomware group is targeting major UK retailers. Learn about this evolving threat and what steps can be taken to mitigate risk.
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations.
Background
DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded.
The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage.
Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom.
Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.
The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom.
In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online.
"On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.
"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.
"We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."
The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening.
The attacks on Marks and Spencer, Co-op and Harrods are linked. DragonForce’s lovely PR team claim more are to come.
Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it’s a repeat of the 2022–2023 activity which saw breaches at Nvidia, Samsung, Rockstar and Microsoft amongst many others. More info below.
I am not saying it is Scatter Spider; Scattered Spider has become a dumping ground for e-crime groups anyway. The point is they — the threat actor — are entering using the front door, via the helpdesk to get MFA access — those are very good guides from defenders about what to do, links below.
Source: Cybersecurity and Infrastructure Security Agency
DragonForce is a white label cartel operation housing anybody who wants to do e-crime. Some of them are pretty good at e-crime.
While organisations are away at RSA thinking about quantum AI cyber mega threats — the harsh reality is most organisations do not have the foundations in place to do be worrying about those kind of things. Generative AI is porn for execs and growth investment — threat actors are very aware that now is the time to launch attacks, not with GenAI, but foundational issues. Because nobody is paying attention.
Once they get access, they are living off the land — using Teams, Office search to find documentation, the works. Forget APTs, now you have the real threat: Advanced Persistent Teenagers, who have realised the way to evade most large cyber programmes is to cosplay as employees. Last time this happened, the MET Police ended up arresting a few under-18 UK nationals causing incidents to largely drop off.
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service.
Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem.
“A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.”
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly.
The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members.
The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March.
The 84 attacks seen from January to March were more than double the number seen in Q1 2024.
Cell C, South Africa’s fourth largest mobile network operator, said on Wednesday morning that RansomHouse had unlawfully disclosed data after a security breach for which RansomHouse is claiming responsibility.
The operator, with 7.7 million subscribers as of February, was attacked in early November 2024 and RansomHouse acquired 2TB of data, which has been corroborated by files posted on the dark web, according to security company PFortner.
Data accessed included:
Full names and contact details (email, phone numbers)
ID numbers
Banking details (if stored for billing purposes)
Driver’s License Numbers
Medical Records (if supplied for closure of accounts on death of a family member)
Passport details
It is not clear how many people were affected.
Malware Analysis Report - LockBit Ransomware v4.0
In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme.
This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families.
As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
Bell Ambulance and Alabama Ophthalmology Associates have suffered data breaches affecting over 100,000 people after being targeted in ransomware attacks.
One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025.
An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information.
Bell Ambulance did not say in its public notice how many individuals are impacted, but the Department of Health and Human Services (HHS) data breach tracker revealed on Monday that 114,000 people are affected.
The Medusa ransomware group announced hacking Bell Ambulance in early March, claiming to have stolen more than 200 Gb of data from its systems.
The second healthcare organization to confirm a data breach impacting more than 100,000 people is Birmingham, AL-based ophthalmology practice Alabama Ophthalmology Associates.
Key Findings The number of publicly-mentioned and extorted victims in Q1 reached the highest ever number, with a 126% increase year-over-year. Cl0p
Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February.
DaVita has not named the ransomware group behind the incident or share details on the attacker’s ransom demands
The Rhysida ransomware gang claims to have stolen 2.5 Tb of files from the Oregon Department of Environmental Quality.
"Don't do crime," the ransomware gang's dark web leak site reads.
interview: Crims are disabling security tools early in attacks, Talos says
Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025.
Fortunately, it will not happen due to certain events happening "behind the scenes." As you may know, Christmas and Winter Holidays are the best times for cybercriminals to attack, defraud, and extort victims globally. But in some cases, they may expect unexpected gifts too. Around that time, Resecurity identified a vulnerability present at the Data Leak Site (DLS) of BlackLock in the TOR network - successful exploitation of which allowed our analysts to collect substantial intelligence about their activity outside of the public domain.
orums as part of our Threat Discovery Process.
Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks.
Target Technologies: Windows
Target Geography: France, USA.
Target Industry: Government, Manufacturing, Pharma.
Encrypted file extension: .vanhelsing
Observed First: 2025-03-16
Threat actor Communication mode: Tor
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process.
