You arrive on the workplace, energy up your system, and panic units in. Each file is locked, and each system is frozen. A ransom demand flashes in your display screen: “Pay $2 million in Bitcoin inside 48 hours or lose every little thing.”
And the worst half is that even after paying, there is not any assure you may get your knowledge again. Many victims hand over the cash, solely to obtain nothing in return, or worse, get hit once more.
This is not a uncommon case. Ransomware assaults are crippling companies worldwide, from hospitals and banks to small corporations. The one approach to cease the harm is by proactively analyzing suspicious information and hyperlinks earlier than they are often executed.
Beneath, we break down the highest three ransomware households lively in 2025: LockBit, Lynx, and Virlock, and learn the way interactive evaluation helps companies detect and cease them earlier than it is too late.
LockBit: Teasing a Comeback in 2025
LockBit is without doubt one of the most infamous ransomware teams, identified for its extremely environment friendly encryption, double extortion ways, and talent to evade conventional security measures. Working underneath a Ransomware-as-a-Service (RaaS)mannequin, it permits associates to distribute the malware, resulting in widespread assaults throughout varied industries.
Newest assaults and exercise:
- London Medication (Could 2024): LockBit focused Canadian retailer London Medication, forcing the closure of all its places throughout Canada. Hackers demanded $25 million, leaking some worker knowledge after the corporate refused to pay.
- College Hospital Heart, Zagreb (June 2024): Disrupted Croatia’s largest hospital, forcing workers to revert to guide operations whereas attackers claimed to have exfiltrated medical data.
- Evolve Financial institution & Belief (June 2024): Breached delicate monetary knowledge, with hackers falsely claiming to have Federal Reserve info. The assault raised issues attributable to Evolve’s ties with main fintech companies.
LockBit pattern:
Let’s take a better take a look at a LockBit ransomware pattern inside ANY.RUN’s safe sandbox to find its key behaviors.
View evaluation session
 |
| File icons modified inside ANY.RUN sandbox |
Contained in the Interactive Sandbox, we discover the very first thing that stands out: file icons altering to the LockBit brand. That is a right away signal of ransomware an infection.
Uncover ransomware ways in real-time and stop pricey breaches earlier than they occur.
Strive ANY.RUN free for 14 days
That is adopted by a ransom observe contained in the sandbox, stating that your information have been stolen and encrypted. The message is evident: Pay the ransom, or the info will likely be revealed on a TOR web site.
 |
| Ransom observe displayed inside safe setting |
On the appropriate facet of the display screen, we see an in depth breakdown of each course of LockBit executes to assault the system.
 |
| Course of tree demonstrates the behaviors of LockBit |
By clicking on any course of, security groups can analyze the precise ways used within the assault.
 |
| Detailed breakdown of processes inside Interactive Sandbox |
Such a evaluation is necessary for companies because it permits them to grasp how ransomware spreads, determine weak factors of their security, and take proactive steps to dam related threats earlier than they trigger monetary and operational harm.
For a extra in-depth breakdown of the assault ways, you can too click on on the ATT&CK button within the upper-right nook of the sandbox. This offers detailed insights into every tactic, serving to groups fine-tune their defenses and strengthen response methods.
 |
| MITRE ATT&CK ways and strategies detected by ANY.RUN |
On this case, we see LockBit utilizing a number of harmful strategies:
- Gaining increased privileges by bypassing security controls.
- Extracting saved credentials from information and internet browsers.
- Scanning the system to assemble info earlier than encrypting information.
- Encrypting knowledge to lock down essential enterprise operations.
New assault warning in 2025:
Regardless of legislation enforcement actions, LockBit continues to pose a major risk for 2025. The group’s alleged chief, generally known as LockBitSupp, has warned of recent ransomware assaults launching this February. This implies companies can not afford to let their guard down.
Lynx: The Rising Risk to Small and Mid-Sized Companies
Lynx is a comparatively new ransomware group that surfaced in mid-2024 and shortly constructed a popularity for its extremely aggressive strategy. In contrast to bigger ransomware gangs that concentrate on company giants, Lynx intentionally goes after small and mid-sized companies throughout North America and Europe, profiting from weaker security measures.
Their technique depends on double extortion. They do not simply encrypt information but in addition threaten to leak stolen knowledge on each public web sites and darkish internet boards if victims refuse to pay. This forces companies into an not possible selection: pay the ransom or danger having confidential knowledge, monetary particulars, and buyer data uncovered on-line.
Newest Lynx assault:
In mid-January 2025, Lynx focused Lowe Engineers, a outstanding civil engineering agency based mostly in Atlanta, Georgia. The assault led to the exfiltration of delicate knowledge, together with confidential undertaking info and shopper particulars. Given the agency’s involvement in essential infrastructure initiatives, this breach raised important issues about potential impacts on federal and municipal contracts.
Lynx pattern:
Because of ANY.RUN’s Interactive Sandbox, we are able to analyze the complete assault chain of Lynx ransomware in a managed digital setting, with out risking actual methods.
View sandbox evaluation of Lynx
The second we add and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the ransomware instantly begins encrypting information and modifications their extensions to .LYNX.
 |
| The Recordsdata Modification tab offers the modifications of file system exercise |
Shortly after, a ransom observe seems, and the desktop wallpaper is changed with an extortion message directing victims to a TOR web site, the place attackers demand cost.
 |
| Lynx ransomware altering the wallpaper inside ANY.RUN sandbox |
Contained in the ANY.RUN sandbox, we are able to manually open the README.txt dropped by Lynx to view the ransom message precisely as a sufferer would.
 |
| The ransom observe contains .onion hyperlinks that direct victims to the attackers’ communication portal |
Within the MITRE ATT&CK part, we get a transparent breakdown of Lynx’s ways and strategies, revealing the way it operates:
 |
| MITRE ATT&CK ways and strategies utilized by Lynx ransomware |
- Encrypting information to lock essential enterprise knowledge.
- Renaming information to imitate different ransomware strains.
- Querying the registry to scan for system particulars and security software program.
- Studying CPU info to evaluate the goal setting.
- Checking software program insurance policies to find out security settings earlier than continuing.
Virlock: A Self-Replicating Ransomware That Will not Die
Virlock is a singular ransomware pressure that first emerged in 2014. In contrast to typical ransomware, Virlock not solely encrypts information but in addition infects them, turning every right into a polymorphic file infector. This twin functionality permits it to unfold quickly, particularly via cloud storage and collaboration platforms.
Current assaults:
In latest analyses, Virlock has been noticed spreading stealthily through cloud storage and collaboration apps. When a consumer’s system is contaminated, Virlock encrypts and infects information, that are then synced to shared cloud environments.
Collaborators who entry these shared information inadvertently execute the contaminated information, resulting in additional unfold inside the group.
Virlock pattern:
Let’s analyze Virlock’s habits utilizing a real-time pattern inside ANY.RUN’s sandbox.
View sandbox evaluation of Virlock
 |
| Virlock ransomware inside VM |
Similar to LockBit and Lynx, Virlock drops a ransom observe upon execution. Nevertheless, this time, it calls for cost in Bitcoin, a typical tactic amongst ransomware operators.
On this particular pattern, Virlock asks for the equal of $250 in Bitcoin, threatening to completely delete information if the ransom is not paid.
Apparently, the ransom observe does not simply demand cost. It additionally features a information on Bitcoin, explaining what it’s and the way victims can purchase it for cost.
 |
| Ransom observe demanding BitCoin left by Virlock |
Throughout execution, ANY.RUN detects a number of malicious actions, revealing how Virlock operates:
 |
| Conduct of Virlock ransomware analyzed by Interactive Sandbox |
- A Virlock-specific mutex is recognized, serving to the malware guarantee just one occasion runs at a time to keep away from interference.
- Virlock executes instructions via batch (.bat) information, launching CMD.EXE to carry out malicious actions.
- The ransomware modifies the Home windows registry utilizing REG/REGEDIT.EXE, prone to set up persistence or disable security options.
Every sandbox session in ANY.RUN mechanically generates an in depth report that may be simply shared inside an organization. These studies are formatted for additional evaluation, serving to security groups collaborate and develop efficient methods to fight ransomware threats in 2025.
 |
| Generated report by ANY.RUN sandbox |
Ransomware in 2025: A Rising Risk You Can Cease
Ransomware is extra aggressive than ever, disrupting companies, stealing knowledge, and demanding thousands and thousands in ransom. The price of an assault contains misplaced operations, broken popularity, and stolen buyer belief.
You may cease ransomware earlier than it locks you out. By analyzing suspicious information in ANY.RUN’s Interactive Sandbox, you get real-time insights into malware habits, with out risking your methods.
Strive ANY.RUN free for 14 days to proactively determine cyber threats to your corporation earlier than it is too late!
