Lilith, a new ransomware operation, has emerged and already posted about its first victim on its leak site. Creating leak site has been a new trend to support double-extortion attacks and list the non-paying victims.
Details on Lilith ransomware
Lilith is C/C++ console-based ransomware created for targeting 64-bit Windows systems.
When running, Lilith tries to end processes that match entries on a hardcoded list. The list includes processes for Steam, Outlook, SQL, PowerPoint, Thunderbird, Firefox, and WordPad.
Before the encryption process starts, Lilith creates and drops ransom notes on all the folders one by one. The note gives three days to contact attackers or else the data will be leaked.
The encryption process
After the successful infection, the encryption process is started by using Windows cryptographic API, alongside Windows’s CryptGenRandom function to generate the random key.
During encryption, it ignores several file extensions, such as EXE, DLL, and SYS. In addition, it excludes a list of directories and specific file names from the encryption process.
Moreover, Lilith has an exclusion for ecdh_pub_k[.]bin, which saves the local public key of BABUK ransomware. It could be the remnant from the copied code, or maybe a link between the two ransomware.
After encryption, the ransomware adds the ‘.lilith’ file extension to encrypted files. After locking the important files stored on the system, the ransomware operators demand ransom for decryption.
Lilith is a new ransomware family that could become a large-scale threat or a RaaS infrastructure in near future. Organizations are suggested to stay vigilant and implement adequate security in place, such as encrypting important data, and deploying reliable anti-malware solutions. Do you know about threat intel platforms? They can be or great help too.