New ransomware 'Lilith' raises its ugly head

A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks. The name originated from the popular female figure in Judaic mythology 'Lilith' who was supposedly the primordial she-demon.

Lilith is C/C++ console-based ransomware discovered by malware hunter JAMESWT and designed for 64-bit versions of Windows. Amongst the ransomware operations that are launched, Lilith performs double extortion attacks, which is when the hackers steal data before encrypting devices. 

In other words, the Lilith is a data-targeting Ransomware infection that makes the user’s data unavailable in order to force its victim to pay a ransom. The Lilith virus generates a special key, unique for every computer it infects, that can unlock the files. 

According to a report by researchers at Cyble who analysed Lilith, called it a crypto-virus that encrypts the files of a storage via a vulnerability in IT. The hackers who carried out the attack subsequently offer to decrypt it in exchange for a ransom payment. The hackers kidnap your data, so to speak, and then extort you in order to release the data again. 

The blog said that the new family doesn’t introduce any novelties. However, it’s one of the latest threats to watch out for, along with RedAlert and Omega that also recently emerged. RedAlert encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks and 0mega targets organisations worldwide in double-extortion attacks and demands millions of dollars in ransoms.

“Upon execution, Lilith attempts to terminate processes that match entries on a hardcoded list, including Outlook, SQL, Thunderbird, Steam, PowerPoint, WordPad, Firefox, and more. This frees up valuable files from applications that may be using them at the moment, thus making them available for encryption,” a per Bleeping Computer report. 

Before the encryption process is initiated, Lilith creates and drops ransom notes on all the enumerated folders. The notes give the victims three days to contact the ransomware actors. This should be done using the Tox messenger in Tor Browse. If victims get late with meeting these demands, cybercriminals threaten to start leaking the collected data, supposedly to dark web resources.

Although the price for decryption is calculated on an individual basis depending on how much valuable data has been encrypted, it still might be quite high considering ransomware’s tendency to target business organisations, the blog said.

As an alternative to collaborating with swindlers, security researchers have warned users to immediately disconnect all systems and storage from the network and disable Wi-Fi and Bluetooth on all computers to stop the spread of Lilith.