Old Miner, New Tricks H2miner Resurfaces with Lcrypt0rx Ransomware

The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019.

We also identified a new variant of the Lcryx ransomware, called Lcrypt0rx. Lcryx is a relatively new VBScript-based ransomware strain first observed in November 2024. This family exhibits several unusual characteristics that suggest it may have been generated using AI.

This is the first documented instance of operational overlap between H2miner and Lcryx, suggesting the following possibilities:

• A collaboration between the operators to maximize financial gain. This makes sense as they both target different operating systems.
• Development of Lcrypt0rx by H2miner operators to increase their campaign’s financial gain.
• Reuse of Lcrypt0rx by H2miner operators to conduct mining operations while shifting the blame.

To read the complete article see: Fortinet Blog 👈