Lilith Ransomware

Three new ransomware strains have emerged: Lilith, RedAlert, and 0mega; however, RedAlert and 0mega will be detailed in the next article.

Lilith is a C/C++ program designed for 64-bit Windows computers, encrypts files, and adds the proper ".lilith" extension before dispersing ransom notes around the system. Unfortunately, ransomware operators also engage in double extortion by threatening to reveal stolen data. When the malware is activated on the victim's computer, it kills running processes following a hard-coded list, ensuring constant access to files meant for encryption. Targeted methods include Outlook, Thunderbird, Firefox, SQL, Steam, and more.

To take control of the targeted services and terminate them, the ransomware calls specific APIs and accesses the service control management database. After that, Lilith checks all of the machine's file folders and the disks in the system for encryption. A collection of cryptographic APIs and a locally generated random key are then used to encrypt the files. The encryptor ignores EXE, DLL, and SYS files, as well as several folders and filenames, including the local public key that Babuk would subsequently use to decrypt the data.

The malware adds ransom notes to multiple folders before the encryption process begins. The victim has 72 hours to contact the ransomware authors and set up payment discussions as shown in figure 1.

Figure 1 Lilith's ransom note (Cyble)

The files are then encrypted using a variety of cryptographic APIs and a locally generated random key. As seen in figure 2, the encryptor ignores all EXE, DLL, and SYS files as well as a variety of folders and filenames, including the local public key that Babuk would later use to decrypt the data.

Figure 2 Exclusion list including BABUK's key (Cyble)

Figure 3 depicts the encryption process using the Windows cryptographic API, with the random key generated by the CryptGenRandom method.

Figure 3 encryption process

while encrypting files, the ransomware adds the ".lilith" file extension as?seen?in figure 4,

Figure 4 Files encrypted by the Lilith ransomware (Cyble)

The note also includes a link to the DLS website's Tor domain as the attacker threatens to make the stolen material public if the ransom is not paid. RedAlert and 0mega, two relatively new ransomware families, are being used in more attacks.

Recently, Linux VMware ESXi servers have been targeted by RedAlert, which has been known to block virtual machines and encrypt all of their associated files. The ransom demand can only be paid in Monero, there are several pre-encryption commands supported, and the malware must be manually started. Indicators of compromise for omega, which employs a twofold extortion method, have not yet been made public.

How to ensure you don’t get breached

Analysts will be advised to look out for Lilith?because?it is?not sure if?Lilith will become a significant threat or a successful RaaS program.?The first victim, a construction company with headquarters in South America, has finally been removed from the extortion site.

This shows that Lilith's operators are already aware of the political minefields they must negotiate to avoid being picked out by law enforcement. It also suggests that Lilith could be interested in big-game hunting because most of these ransomware initiatives are?rebranded versions?of more available programs. Hence,?their developers?typically?have a thorough awareness of the industry's complexities.

There are other ways organizations can use to optimize their computing device to become more resistant to ransomware attacks and they include:

1.????You can avoid many types of ransomware by changing important files’ extensions to something arbitrary since we know the ransomware encryptor ignores all EXE, DLL, and SYS files as much other ransomware. For example, if your backup is stored as files.backup, you can change the extension to anything else (exe, dll, etc).

2.????Use an endpoint security solution such as SentinelOne that has different detection, response, and rollback techniques.

3.????Regular OS and Application updates.

4.????Stopping website page redirects in a web browser will keep you safe from rogue sites and malicious links.

5.????Avoid installing pirated software on your endpoints.

For more advanced Ransomware protection and mitigation techniques contact us at [email protected]