Discovered by malware hunter JAMESWT on Twitter, Lilith is ransomware designed to lock Windows machines. The malware exfiltrates data before encrypting the targeted devices to provide additional means of extortion.
The ransom note contains the following ultimatum and instructions:
Victims have three days to contact the threat actors on a hidden Onion website to pay the ransom. While Lilith does not introduce any innovative approach, according to Cyble, it clearly shows a trend in the current ransomware landscape.
The hackers posted their first victim on a data leak site before removing the publication later. The victim was a large construction group based in South America, which suggests that the hackers are aiming high – and may also be sensitive to any potential backlash from countries or law enforcement.
Cyble warned companies about a new “wave of ransomware campaigns” involving groups like RedAlert, Lilith And 0mega, focusing on Lilith in depth.
How Lilith Ransomware Operates
Lilith is written in C/C++ and targets 64-bit Windows systems. The malware uses a custom “.lilith” extension to rename encrypted files.
According to Cyble, “The ransomware searches for files to encrypt on the local system by enumerating the file directories […] It ignores the file extensions such as EXE, DLL, and SYS and excludes a list of directory and file names from the encryption process.”
Cyble adds that “upon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its execution if any of them are running on the target’s machine.”
That way, the ransomware increases its chances of success significantly. Besides, the files are encrypted using local Windows cryptographic APIs and random keys generated on the fly.
The researchers found artifacts in the code base that point to the BABUK ransomware, as Lilith excludes “ecdh_pub_k.bin,” the public key used by BABUK, which could be a link between the two campaigns.
How to Protect Against Lilith Ransomware
Threat actors are aware that security teams are increasingly ready to fight, succeeding sometimes even before the deadline (see How One Company Survived a Ransomware Attack Without Paying the Ransom).
This double-extortion model is here to stay. Classic but efficient measures to prevent ransomware attacks are strongly recommended, but the key might be a tested recovery strategy and a continuity plan. Such an approach involves proper backups and documented procedures.
In addition, don’t forget to scan your backup files for infection, and as it’s essential not to let Lilith spread around your network and devices, infected machines must be isolated
Organizations should also leverage proper network segmentation. While the investments might be significant, the cost of ransomware attacks is usually high, and Lilith seems to target big companies.
One of the critical aspects of these attacks is obviously the ransom payment. Official recommendations by security agencies and governments will likely discourage the victims from paying any ransom. The reason is simple: there’s no guarantee you’ll get a working recovery key, regardless of what attackers might say.
You might get more damage with so-called decryptors that actually install other malware, and the attack could also escalate to include additional payment demands.
That’s not to blame companies that made that choice. The pressure might be overwhelming and the stakes too high to resist the temptation to pay the ransom. Being offline for an extended period of time can easily outweigh the ransom price.
However, another reason why it is not recommended to pay the ransom is that it could be illegal.
Companies should prepare for such bad events and ensure that paying the ransom won’t be used against them in court, as authorities might view it as encouraging cybercriminals or cyber terrorism.
Read next: How to Recover From a Ransomware Attack