Executive Summary
Cyble recently reported on Lilith Ransomware, which appends the .lilith extension to encrypted files.
Key Takeaways
Prior to encrypting a victim’s files, Lilith drops the ransom note Restore_Your_Files.txt in folders targeted for encryption. The ransom note uses double extortion tactics, with the threat actors threatening to leak stolen data if the ransom is not paid. Victims are given three days to negotiate a ransom price.
Lilith searches for files to encrypt, using FindFirstFileW() and FindNextFileW() to enumerate the directories. It ignores certain file extensions such as EXE, DLL, and SYS. Cyble noted Lilith also excludes the file ecdh_pub_k.bin, which contains the local public key for Babuk ransomware. For encryption, Lilith uses cryptographic APIs such as CryptAcquireContextW() and CryptGenRandom() from ADVAPI32.dll. Lilith appends the .lilith extension to encrypted files.
IOCs
PolySwarm has a sample of Lilith.
f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5
You can use the following CLI command to search for all Lilith samples in our portal:
$ polyswarm link list -f Lilith
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports