Researchers Discover New Lilith Ransomware

Share post:

A new ransomware operation has been launched under the name “Lilith.” The ransomware was discovered by JAMESWT. Lilith is a C/C++ console-based ransomware designed for 64-bit versions of Windows. The ransomware operation engage in double extortion attacks.

The analysis of Cyble researchers shows that before encryption process is initiated, Lilith creates and drops ransom notes on all the enumerated folders. The note threatens victims with public data exposure and gives them three days to contact the ransomware operators.

Once executed, Lilith will attempt to terminate processes that match entries on a hard-coded list, including Outlook, SQL, Thunderbird, Steam, PowerPoint, WordPad, Firefox, and more. Doing this free up valuable files from applications they are now likely to use, making them available for encryption.

Files excluded from encryption include EXE, DLL and SYS. Program files, web browsers and the folders in the recycle bin are also bypassed.

The researchers also noted that Lilith contains an exclusion for “ecdh_pub _k.bin,” which stores the local public key for BABUK ransomware infections. According to researchers, this could be a leftover from copied code, which could be an indication of a connection between the two ransomware strains.

The ransomware appends the “.lilith” file extension when files are encrypted, and the encryption takes place via the cryptographic API of Windows. The CryptoGenRandom function of Windows generates the random key.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways