Ransomware - Lilith

Lilith
Decryptor Available
No
Description

Lilith is a ransomware that is seemingly associated with the ransomware group Babuk due to the admission of “ecdh_pub_k.bin,” the file that stores the local public key of Babuk for file decryption. It also shares other characteristics that make us believe the authors used the Babuk builder that was leaked onto the Internet. For example, it uses the function "csprng" as part of the encryption key generation and it also uses multithreading for an extremely quick encryption event. Due to this, we believe the authors began with the Babuk ransomware and tweaked it to their needs. As such, we have denoted Babuk as the Lineage of Lilith.

In typical ransomware fashion, the name of the ransomware is derived from the file extension given to encrypted files – <filename>.lilith. The threat actor uses the popular end-to-end encryption app, Tox Messenger, to perform out-of-band, encrypted communications. They are only known to have performed only one double extortion attempt, and it was of a Brazilian construction conglomerate that also operates in other South American countries. We have listed the victim information, the sample hash we found and analyzed, and any other information we could find below.

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Extortion Types
Direct Extortion
Double Extortion
Communication
Medium
Identifier
Tox
Encryption
Type
Hybrid
Files
ChaCha8
Key
ECDH
File Extension
<file name>.lilith
Ransom Note Name
Restore_Your_Files.txt
Ransom Note Image
Samples (SHA-256)
f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5
Known Victims
Industry Sector Country Extortion Date Amount (USD)
Construction & ArchitectureBrazil