You arrive on the workplace, energy up your system, and panic units in. Each file is locked, and each system is frozen. A ransom demand flashes in your display screen: “Pay $2 million in Bitcoin inside 48 hours or lose every little thing.”
And the worst half is that even after paying, there isn’t any assure you will get your information again. Many victims hand over the cash, solely to obtain nothing in return, or worse, get hit once more.
This is not a uncommon case. Ransomware assaults are crippling companies worldwide, from hospitals and banks to small corporations. The one strategy to cease the injury is by proactively analyzing suspicious information and hyperlinks earlier than they are often executed.
Under, we break down the highest three ransomware households lively in 2025: LockBit, Lynx, and Virlock, and learn how interactive evaluation helps companies detect and cease them earlier than it is too late.
LockBit: Teasing a Comeback in 2025
LockBit is without doubt one of the most infamous ransomware teams, recognized for its extremely environment friendly encryption, double extortion techniques, and talent to evade conventional safety measures. Working below a Ransomware-as-a-Service (RaaS)mannequin, it allows associates to distribute the malware, resulting in widespread assaults throughout numerous industries.
Newest assaults and exercise:
- London Medication (Might 2024): LockBit focused Canadian retailer London Medication, forcing the closure of all its places throughout Canada. Hackers demanded $25 million, leaking some worker information after the corporate refused to pay.
- College Hospital Middle, Zagreb (June 2024): Disrupted Croatia’s largest hospital, forcing workers to revert to handbook operations whereas attackers claimed to have exfiltrated medical data.
- Evolve Financial institution & Belief (June 2024): Breached delicate monetary information, with hackers falsely claiming to have Federal Reserve data. The assault raised issues because of Evolve’s ties with main fintech corporations.
LockBit pattern:
Let’s take a better have a look at a LockBit ransomware pattern inside ANY.RUN’s safe sandbox to find its key behaviors.
 |
| File icons modified inside ANY.RUN sandbox |
Contained in the Interactive Sandbox, we discover the very first thing that stands out: file icons altering to the LockBit brand. That is a direct signal of ransomware an infection.
Uncover ransomware techniques in real-time and forestall expensive breaches earlier than they occur.
That is adopted by a ransom observe contained in the sandbox, stating that your information have been stolen and encrypted. The message is obvious: Pay the ransom, or the info shall be revealed on a TOR web site.
 |
| Ransom observe displayed inside safe surroundings |
On the suitable facet of the display screen, we see an in depth breakdown of each course of LockBit executes to assault the system.
 |
| Course of tree demonstrates the behaviors of LockBit |
By clicking on any course of, safety groups can analyze the precise techniques used within the assault.
 |
| Detailed breakdown of processes inside Interactive Sandbox |
This sort of evaluation is essential for companies because it permits them to know how ransomware spreads, determine weak factors of their safety, and take proactive steps to dam related threats earlier than they trigger monetary and operational injury.
For a extra in-depth breakdown of the assault techniques, you may also click on on the ATT&CK button within the upper-right nook of the sandbox. This offers detailed insights into every tactic, serving to groups fine-tune their defenses and strengthen response methods.
 |
| MITRE ATT&CK techniques and strategies detected by ANY.RUN |
On this case, we see LockBit utilizing a number of harmful strategies:
- Gaining greater privileges by bypassing safety controls.
- Extracting saved credentials from information and internet browsers.
- Scanning the system to assemble data earlier than encrypting information.
- Encrypting information to lock down important enterprise operations.
New assault warning in 2025:
Regardless of regulation enforcement actions, LockBit continues to pose a big risk for 2025. The group’s alleged chief, referred to as LockBitSupp, has warned of recent ransomware assaults launching this February. This implies companies can’t afford to let their guard down.
Lynx: The Rising Risk to Small and Mid-Sized Companies
Lynx is a comparatively new ransomware group that surfaced in mid-2024 and shortly constructed a popularity for its extremely aggressive strategy. In contrast to bigger ransomware gangs that concentrate on company giants, Lynx intentionally goes after small and mid-sized companies throughout North America and Europe, benefiting from weaker safety measures.
Their technique depends on double extortion. They do not simply encrypt information but in addition threaten to leak stolen information on each public web sites and darkish internet boards if victims refuse to pay. This forces companies into an unimaginable selection: pay the ransom or danger having confidential information, monetary particulars, and buyer data uncovered on-line.
Newest Lynx assault:
In mid-January 2025, Lynx focused Lowe Engineers, a outstanding civil engineering agency based mostly in Atlanta, Georgia. The assault led to the exfiltration of delicate information, together with confidential challenge data and shopper particulars. Given the agency’s involvement in important infrastructure initiatives, this breach raised important issues about potential impacts on federal and municipal contracts.
Lynx pattern:
Due to ANY.RUN’s Interactive Sandbox, we are able to analyze the total assault chain of Lynx ransomware in a managed digital surroundings, with out risking actual programs.
View sandbox evaluation of Lynx
The second we add and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the ransomware instantly begins encrypting information and adjustments their extensions to .LYNX.
 |
| The Recordsdata Modification tab offers the adjustments of file system exercise |
Shortly after, a ransom observe seems, and the desktop wallpaper is changed with an extortion message directing victims to a TOR website, the place attackers demand fee.
 |
| Lynx ransomware altering the wallpaper inside ANY.RUN sandbox |
Contained in the ANY.RUN sandbox, we are able to manually open the README.txt dropped by Lynx to view the ransom message precisely as a sufferer would.
 |
| The ransom observe consists of .onion hyperlinks that direct victims to the attackers’ communication portal |
Within the MITRE ATT&CK part, we get a transparent breakdown of Lynx’s techniques and strategies, revealing the way it operates:
 |
| MITRE ATT&CK techniques and strategies utilized by Lynx ransomware |
- Encrypting information to lock important enterprise information.
- Renaming information to imitate different ransomware strains.
- Querying the registry to scan for system particulars and safety software program.
- Studying CPU data to evaluate the goal surroundings.
- Checking software program insurance policies to find out safety settings earlier than continuing.
Virlock: A Self-Replicating Ransomware That Will not Die
Virlock is a novel ransomware pressure that first emerged in 2014. In contrast to typical ransomware, Virlock not solely encrypts information but in addition infects them, turning every right into a polymorphic file infector. This twin functionality permits it to unfold quickly, particularly via cloud storage and collaboration platforms.
Current assaults:
In latest analyses, Virlock has been noticed spreading stealthily by way of cloud storage and collaboration apps. When a person’s system is contaminated, Virlock encrypts and infects information, that are then synced to shared cloud environments.
Collaborators who entry these shared information inadvertently execute the contaminated information, resulting in additional unfold inside the group.
Virlock pattern:
Let’s analyze Virlock’s conduct utilizing a real-time pattern inside ANY.RUN’s sandbox.
View sandbox evaluation of Virlock
 |
| Virlock ransomware inside VM |
Identical to LockBit and Lynx, Virlock drops a ransom observe upon execution. Nonetheless, this time, it calls for fee in Bitcoin, a standard tactic amongst ransomware operators.
On this particular pattern, Virlock asks for the equal of $250 in Bitcoin, threatening to completely delete information if the ransom is not paid.
Curiously, the ransom observe does not simply demand fee. It additionally features a information on Bitcoin, explaining what it’s and the way victims can purchase it for fee.
 |
| Ransom observe demanding BitCoin left by Virlock |
Throughout execution, ANY.RUN detects a number of malicious actions, revealing how Virlock operates:
 |
| Conduct of Virlock ransomware analyzed by Interactive Sandbox |
- A Virlock-specific mutex is recognized, serving to the malware guarantee just one occasion runs at a time to keep away from interference.
- Virlock executes instructions via batch (.bat) information, launching CMD.EXE to carry out malicious actions.
- The ransomware modifies the Home windows registry utilizing REG/REGEDIT.EXE, more likely to set up persistence or disable safety features.
Every sandbox session in ANY.RUN mechanically generates an in depth report that may be simply shared inside an organization. These studies are formatted for additional evaluation, serving to safety groups collaborate and develop efficient methods to fight ransomware threats in 2025.
 |
| Generated report by ANY.RUN sandbox |
Ransomware in 2025: A Rising Risk You Can Cease
Ransomware is extra aggressive than ever, disrupting companies, stealing information, and demanding thousands and thousands in ransom. The price of an assault consists of misplaced operations, broken popularity, and stolen buyer belief.
You possibly can cease ransomware earlier than it locks you out. By analyzing suspicious information in ANY.RUN’s Interactive Sandbox, you get real-time insights into malware conduct, with out risking your programs.
Strive ANY.RUN free for 14 days to proactively determine cyber threats to your corporation earlier than it is too late!