A new ransomware operation has been On The Rise under the name ‘Lilith,’ and it has already listed its first victim on a data leak site created to support double-extortion attacks.

Ransomware operators now have another new tool at their disposal, named Lilith Ransomware. This threat can affect many file types and render them completely unusable.

What is Lilith ransomware?

Lilith is C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices.

When we executed a sample of Lilith on our testing machine, it encrypted files and appended their filenames with a “.lilith” extension. For example, a file originally titled “1.jpg” appeared as “1.jpg.lilith“, “2.png” as “2.png.lilith“, etc. Afterward, a ransom-demanding message named “Restore_Your_Files.txt” – was created on the desktop.

According to a blog published by security researchers at Cyble who analyzed Lilith, the new family doesn’t introduce any novelties. However, it’s one of the latest threats to watch out for, along with RedAlert which also recently emerged.

Before the encryption process is initiated, Lilith creates and drops ransom notes on all the enumerated folders.

Lilith’s ransom note states that the files have been encrypted and sensitive data was stolen. Victims are given three days to start negotiating with the attackers for the decryption software’s price. After the deadline ends, cyber criminals threaten to begin leaking the exfiltrated data.

Upon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its execution if any of them are running on the target’s machine. This step ensures that these processes do not block access to the files to be encrypted.

The file types excluded from encryption are EXE, DLL, and SYS, while Program Files, web browsers, and the Recycle Bin folders are also bypassed.

Interestingly, Lilith also contains an exclusion for ‘ecdh_pub_k.bin,‘ which stores the local public key of BABUK ransomware infections. 

Based on our experience we can conclude that decryption is rarely viable without the attackers’ interference.

Despite meeting the ransom demands – victims frequently do not receive the decryption keys/software. Hence, we strongly advise against paying and thus supporting this criminal activity.

Its first victim, which has been removed from the extortion site was a large construction group based in South America.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

• Detach infected devices on the same network.
• Disconnect external storage devices if connected.
• Inspect system logs for suspicious events.

Impacts And Cruciality of Ransomware

• Loss of Valuable data.
• Loss of the organization’s reputation and integrity.
• Loss of the organization’s sensitive business information.
• Disruption in organization operation.
• Financial loss.

We strongly advise following the above steps. Additionally, all programs have to be activated and updated using functions/tools provided by genuine developers, as illegal activation (“cracking”) tools and fake updaters may contain malware.