The ‘Lilith’ ransomware campaign has only begun, and it has already placed its first victim on a data leak website designed to facilitate double-extortion attempts.
For 64-bit versions of Windows, JAMESWT discovered Lilith, a C/C++ console-based ransomware. Lilith conducts double-extortions assaults, which is when threat actors take data before encrypting devices, like the majority of ransomware operations debuting today.
Researchers at Cyble who studied Lilith have reported that the new family doesn’t bring in any novelties. But coupled with the more recent threats RedAlert and 0mega, it’s one to be on the lookout for right now.
About Lilith
When Lilith is run, it tries to kill any processes that match any of the items on a hardcoded list, which includes Firefox, Thunderbird, PowerPoint, WordPad, Outlook, SQL, and more.
This makes valuable files available for encryption by removing them from apps that may be currently using them. Lilith makes ransom notes and places them on each of the listed folders before the encryption procedure begins.
The ransomware actors threaten to expose the victims’ private data if they don’t get in touch with them on the supplied Tox chat address within three days.
EXE, DLL, and SYS file types are not subject to encryption; additionally, Program Files, web browsers, and the Recycle Bin folder are not affected.
It’s interesting to note that Lilith also has an exclusion for “ecdh pub k.bin,” which is where BABUK ransomware outbreaks store their local public key.
Exclusion list including BABUK’s key (Cyble)
This could be a holdover from duplicated code, suggesting a connection between the two ransomware strains.
Finally, Windows’ CryptGenRandom method creates the random key while the encryption is performed using the Windows cryptography API.
The ransomware’s encryption routine (Cyble)
When encrypting files, the ransomware adds the “.lilith” file extension, as displayed below.
What to expect
Although it’s too soon to say whether Lilith will become a significant threat or a successful RaaS programme, analysts should keep an eye on it.
Its first victim, a sizable construction company with headquarters in South America, has now been taken down from the extortion site.
This suggests that Lilith’s operators are already aware of the political minefields they must negotiate in order to avoid being singled out by law enforcement and that Lilith may be interested in big-game hunting.
Since most of these innovative ransomware ventures are simply rebranded versions of more established programmes, their creators usually have a deep understanding of the nuances of the industry.
Reference: https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/
