You arrive at the office, turn on the system and set up a panic. All files are locked and all systems are frozen. Ransom demand flashes on the screen. “You’ll either pay $2 million in Bitcoin within 48 hours or lose everything.”
And the worst part is that there is no guarantee that you will get your data back even after payment. Many victims hand over the money, but in return they receive nothing, or worse still, are attacked again.
This is not a rare case. Ransomware attacks have put businesses all over the world, from hospitals and banks to small and medium-sized businesses. The only way to stop damage is to actively analyze suspicious files and links before performing them.
Below we categorize the top three ransomware families active in 2025: How to analyze Lockbit, Lynx, and Virlock and help you detect and stop interactive analyses before they’re too late Find it.
Lockbit: Telling a comeback in 2025
Lockbit is one of the most notorious ransomware groups known for its highly efficient encryption, double-terr tactics, and ability to circumvent traditional security measures. Operating under the Service as a Ransomware (RAAS) model, affiliates distribute malware, leading to widespread attacks across a variety of industries.
Latest Attacks and Activities:
London Drug (May 2024): Rockbit’s targeted Canadian retailer London Drug forces closures of all locations across Canada. The hackers demanded $25 million and leaked employee data after the company refused to pay. Zagreb University Hospital Centre (June 2024): Disrupts Croatia’s biggest hospital, forcing staff to return to manual operations while attackers claimed they had ruled out medical records. Evolve Bank & Trust (June 2024): Hackers breached sensitive financial data by mistakenly claiming they had Federal Reserve information. The attack raised concerns over Evolve’s relationship with major fintech companies.
lockbit sample:
Take a closer look at the Lockbit ransomware samples in any.run’s secure sandbox and discover what’s important.
View your analysis session
File icon changed in any.run sandbox
Inside the interactive sandbox, you first notice that it stands out. The file icon will be changed to the Lockbit logo. This is an immediate indication of a ransomware infection.
Discover ransomware tactics in real time and prevent costly violations before they happen.
Try it for free for 14 days
This is followed by a ransom note inside the sandbox, indicating that the file has been stolen and encrypted. The message is clear: pay the ransom or your data will be published on the TOR website.
Ransom notes displayed in a safe environment
On the right side of the screen, you can see that a detailed breakdown of all processes is performed to attack the system.
The process tree shows the behavior of Lockbit
By clicking on a process, security teams can analyze the exact tactics used in the attack.
A detailed breakdown of processes in an interactive sandbox
This type of analysis can help you understand how ransomware spreads, identify security weaknesses, and take aggressive measures to block similar threats before causing financial and operational damage. It’s important for businesses because it can.
For a more detailed breakdown of attack tactics, you can also click on the ATT & CK button in the top right corner of the sandbox. This gives you detailed insight into each tactic and helps your team tweak defenses and strengthen their response strategies.
Miter att&ck’s tactics and techniques were detected by any.run
In this case, you will see Lockbit using some dangerous techniques.
Bypassing security management, you gain higher privileges. Extracts saved credentials from a file and web browser. Before encrypting the files, scan the system to collect information. Encrypt your data and lock down critical business operations.
New Attack Warning for 2025:
Despite law enforcement measures, Lockbit continues to pose a major threat in 2025. The leader of the suspects of a group known as Lockbitsupp has warned about a new ransomware attack launched this February. This means businesses cannot afford to disappoint security guards.
Lynx: Rising threat to small businesses
Lynx is a relatively new ransomware group that emerged in mid-2024 and quickly built a reputation for its highly offensive approach. Unlike large ransomware gangs focusing on corporate giants, Lynx uses weaker security measures to deliberately kick out small businesses in North America and Europe.
Their strategy relies on double terror. In addition to encrypting the files, it also threatens to leak stolen data on both public websites and dark web forums if the victim refuses to pay. This forces businesses to make impossible choices. There is a risk that you pay a ransom or that your sensitive data, financial details, and customer records are published online.
Latest Links Attacks:
In mid-January 2025, Lynx targeted Low Engineer, a well-known civil engineering company based in Atlanta, Georgia. The attack extracted sensitive data, including sensitive project information and client details. Given the company’s involvement in key infrastructure projects, the violation raised great concerns about its potential impact on federal and local government contracts.
Lynx Sample:
Thanks to any.run’s interactive sandbox, you can analyze the full attack chain of Lynx ransomware in a controlled virtual environment without putting your real system at risk.
View Sandbox Analysis for Lynx
When you upload and launch a malicious executable file into Any.run’s cloud-based sandbox, Ransomware immediately starts encrypting the file and changes the extension to .lynx.
The Change File tab provides changes to file system activity
Shortly afterwards, a ransom note will appear, and desktop wallpaper will be replaced with a fearful tor message that directs the victim to a TOR site where the attacker requests payment.
Change wallpaper in Lynx ransomware Any.run sandbox
Within the any.run sandbox, you can manually open readme.txt dropped in lynx, and you can view ransom messages exactly like the victim.
Ransom notes include an Onion link that directs victims to the attacker’s communication portal
The Miter ATT & CK section gives you a clear breakdown of Lynx’s tactics and techniques, revealing how it works.
Miter ATT&CK tactics and techniques used by Lynx Ransomware encrypt files and lock important business data. Rename the file to mimic other ransomware stocks. Query the registry to scan system details and security software. Reads CPU information to evaluate the target environment. Check the software policy to determine your security settings before proceeding.
Virlock: Non-death Self-Replica Ransomware
Virlock is a unique ransomware stock that first appeared in 2014. Unlike typical ransomware, Virlock not only encrypts files, but infects them, turning each into a polymorphic file infector. This dual feature allows for rapid spread, especially through cloud storage and collaboration platforms.
Recent Attacks:
Recent analysis has observed that Virlock is closely spreading through cloud storage and collaboration apps. When your system is infected, Virlock encrypts and infects the files and syncs them to a shared cloud environment.
Collaborators accessing these shared files will inadvertently execute the infected files, spreading them even further within the organization.
Virlock Sample:
Let’s analyze Virlock’s behavior using real-time samples in any.run’s sandbox.
View Virlock sandbox analysis
Virlock ransomware in a VM
Like Lockbit and Lynx, Virlock drops ransom notes when it runs. However, this time, you will need to pay with Bitcoin, a common tactic among ransomware operators.
In this particular sample, Virlock demands something worth $250 in Bitcoin and threatens to permanently delete the file if no ransom has been paid.
Interestingly, ransom notes don’t just require payment. It also includes a guide on Bitcoin, explaining what it is and how the victim can earn it for payment.
Ransom Memo Requests Bitcoin Remained by Virlock
During execution, Any.run detects some malicious activity and reveals how Virlock works.
Virlock ransomware behavior analyzed by interactive sandboxes helps to ensure that only one instance of the malware runs at a time to avoid interference. Virlock executes the command via a batch (.bat) file, launches CMD.exe and performs malicious actions. Ransomware can use reg/regedit.exe to modify the Windows registry to establish persistence or disable security features.
Each sandbox session in any.run automatically generates detailed reports that can be easily shared within the company. These reports are formatted for further analysis and will help security teams collaborate and develop effective strategies to combat ransomware threats in 2025.
Generated report by any.run sandbox
Ransomware in 2025: Increased threats that can be stopped
Ransomware is more aggressive than ever, disrupting businesses, stealing data and demanding ransom for millions of people. The costs of attacks include lost operations, reputational damage and stolen customer trust.
You can stop the ransomware before locking you. Analyzing suspicious files in any.run’s interactive sandbox allows you to gain real-time insight into the behavior of malware without putting your system at risk.
Try it for free for 14 days to proactively identify cyber threats to your business before it’s too late!
Source link
