BleepingComputer reports that the new Lilith ransomware operation has recently emerged, alongside RedAlert and 0mega, with Lilith already having listed its first victim, a South America-based construction group, on its data leak site.
Cyble researchers discovered that executing Lilith would prompt attempts to end processes corresponding to hardcoded list entries in an effort to ease the encryption process. Ransom notes are deployed by the ransomware on all enumerated folders prior to encryption, which skips EXE, SYS, and DLL files, as well as web browsers, Program Files, and Recycle Bin folders, according to the report.
Moreover, Lilith also excludes a file with the local public key of BABUK ransomware, which may suggest an association between both strains. Windows cryptographic API is then used for encrypting files, while random key generation is being performed by Windows' CryptGenRandom function.
Security analysts have been urged to monitor Lilith ransomware's activities, as its initial victim indicates the operation's interest in big-game hunting.
A healthcare provider can have all the elements in place, but without context, prioritization of systems, and well-practiced incident response plan, the effectiveness of well-laid processes are limited.