Chris Swagler | July 19th, 2022

New ransomware called “Lilith” recently launched its operation and has already posted its first victim on a data leak site designed to facilitate double-extortion attacks. For 64-bit versions of Windows, JAMESWT discovered Lilith, a C/C++ console-based ransomware. Lilith conducts double-extortions attacks, during which threat actors steal data before encrypting devices, like numerous other ransomware operations launching today. Researchers who analyzed Lilith reported that the new family doesn’t bring in any novelties. Coupled with the more recent threats RedAlert and Omega, it’s one to be on the lookout for.

Lilith, a folk character whose name is sometimes translated as ‘night monster’ and is known for her demonic persona, is indicative of the malicious nature of the ransomware and its operators. When executed, Lilith tries to kill any processes that match entries on a hardcore list, including FireFox, Thunderbird, PowerPoint, WordPad, Outlook, and SQL. This makes valuable files available for encryption by removing them from applications that may be currently using them. Lilith creates ransom notes and drops them on all the enumerated folders before initiating the encryption process.

The ransomware actors threaten to expose victims’ public data if they don’t contact them on the provided Tox chat address within three days. EXE, DLL, and SYS file types are excluded from encryption along with Programs Files, web browsers, and the Recycle Bin folders. It’s interesting to note that Lilith has an exclusion for ‘echd_pub_k.bin,’ which is where BABUK ransomware infections store their local public key.

This can be a holdover from duplicated code, suggesting a connection between the two ransomware strains. Windows’ CryptoGenRandom function creates the random key while the encryption occurs using the Windows cryptographic API. When encrypting files, the ransomware adds the “.lilith” file extension. Its first victim, a large construction company in South America, has been removed from the extortion site. This suggests that Lilith’s operators are already aware of the political labyrinths they must navigate to avoid being targeted by law enforcement and may be interested in big-game hunting. Numerous novel ransomware projects are the rebrands of older programs and their operators have a better understanding of the nuances of the industry.

Even though it’s too soon to say whether Lilith will become a significant threat or a successful RaaS program, analysts need to keep an eye on it. Additionally, companies need to remain vigilant on the current threat landscape and regularly keep network data backups off-site. At SpearTip, our certified engineers work in a continuously investigative cycle monitoring companies’ networks and are ready to respond to events at a moment’s notice. SpearTip’s remediation experts focus on restoring companies’ operations, reclaiming their networks by isolating ransomware, and recovering business-critical assets. ShadowSpear Platform, our cutting-edge endpoint detection and response tool, detects sophisticated unknown and advanced ransomware threats with comprehensive insights through visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.