Ransomware Lyrix Puts Mexican Government Agencies at Risk

A new digital threat is looming over Mexico’s public institutions: a ransomware strain called Lyrix, which could affect over a thousand government offices across the country. This variant was specifically designed to target Windows-based computers and has the potential to cripple key public sector organizations.

Which Institutions are at Risk?

So far, at least 1,033 agencies have been identified as vulnerable due to critical system flaws. And these are not minor entities—they include major institutions that handle sensitive data or provide essential services to the public. Here are some examples:

1. SAT, particularly its electronic invoice verification system.

2. The Tax Portal of the State of Hidalgo.

3. The National Water Commission.

4. The Congressional Channel.

5. State and municipal governments such as that of Aguascalientes.

6. INFONAVIT.

7. The National Institute of Copyright.

8. The Certification Authority of the Government of Guerrero.

9. The State Congress of Jalisco, specifically its potable water board.

10. The educational credit program in Baja California.

11. The school property registration system in Jalisco.

12. Potable water agencies in Puebla, Sinaloa, and other regions.

13. The Fiscal Administration of the State of Coahuila.

14. The Labor Trials Directorate of the Government of Chihuahua.

15. The Science and Technology Council of Tabasco, among others.

All of these institutions, because of the type of data they handle (ranging from tax information, copyright, housing, to education) are prime targets for cybercriminals. The goal is clear: encrypt the information, block access, and then demand a ransom in exchange for releasing it.

What Is Lyrix Ransomware and How Does It Attack?

Lyrix is a type of malware that, like other ransomware, hijacks your data and demands a ransom to return it. What’s particularly striking (and concerning) about this one is that it was created using Python—a very versatile programming language. It was then “packaged” with a tool called PyInstaller, which essentially allows it to run smoothly on Windows computers as if it were just another regular program.

Once it infiltrates a network or system, Lyrix gets to work: it scans everything, hunts for important files, and locks them using extremely strong encryption (AES-256 and RSA-2048, if those sound familiar). What does this mean? That no one can access those files without a special key—one that, of course, only the attackers possess. It’s like putting your data in an indestructible safe... and they keep the key.

But that’s not all. Lyrix is also a chameleon: it constantly changes its code to avoid detection by traditional antivirus software. This technique, known as polymorphic code, makes it very difficult to identify using common security methods, since it doesn’t leave a fixed “fingerprint.”

Lyrix Ransomware Ransom Note

When Lyrix finishes encrypting the files, it changes their extensions (essentially renaming them) and leaves a kind of ransom note on the computer. In that note, the attackers demand payment—usually in cryptocurrency—in exchange for "restoring" access to your own data.

But it’s not just about asking for money. To increase the pressure, they threaten to permanently delete everything or even leak the information publicly if the ransom isn’t paid within a specific timeframe. To make matters worse, Lyrix also deletes backup copies if it detects them, leaving victims with no alternative but to consider paying.

What Makes It So Dangerous?

Here are some of the techniques it uses:

1. Ultra-strong encryption (AES-256 and RSA-2048): Nearly impossible to crack without the decryption key.
   
   
2. Deletes backups and system restore points: Making recovery extremely difficult.
   
   
3. Constantly changes its code (polymorphism): This technique helps it evade detection by traditional antivirus software.
   
   
4. Connects with attackers through the Tor network: An anonymous network that makes tracking the origin nearly impossible.

Read more: Comparison of the Leading Backup Solutions 2025

How to Protect Yourself from Lyrix

If there’s one thing threats like this make clear, it’s that having “a good antivirus” is no longer enough. Both public and private organizations need to take cybersecurity seriously and strengthen their digital defenses from every angle. How can this be done? Here are some key recommendations:

1. Keep everything updated: Operating systems, software, and security patches. Many attacks exploit vulnerabilities that already have fixes—just not installed in time.
   
   
2. Train your team: Often, a single wrong click on a phishing email is the gateway. Ensuring everyone knows how to spot scams is essential.
   
   
3. Use advanced security solutions: Especially tools that analyze device behavior, not just what “looks” suspicious. At TecnetOne, we have a 24/7 Security Operations Center (SOC) that monitors, analyzes, and responds to potential threats in real time. This allows us to act before an attack spreads and offer much more effective protection to our clients.
   
   
4. Implement smart and secure backups: Simply saving a copy “on the same server” or in a shared folder isn’t enough. Solutions like TecnetProtect Backup let you automate backups, store them outside the main system, and include integrated ransomware protection. You can also manage endpoints from a single console, which greatly simplifies security administration—especially if you have many devices or locations.
   
   
5. Have an emergency plan: If something goes wrong, knowing how to respond quickly can mean the difference between a scare and a disaster.