Lilith is a ransomware that is seemingly associated with the ransomware group Babuk due to the admission of “ecdh_pub_k.bin,” the file that stores the local public key of Babuk for file decryption. It also shares other characteristics that make us believe the authors used the Babuk builder that was leaked onto the Internet. For example, it uses the function "csprng" as part of the encryption key generation and it also uses multithreading for an extremely quick encryption event. Due to this, we believe the authors began with the Babuk ransomware and tweaked it to their needs. As such, we have denoted Babuk as the Lineage of Lilith.
In typical ransomware fashion, the name of the ransomware is derived from the file extension given to encrypted files – <filename>.lilith. The threat actor uses the popular end-to-end encryption app, Tox Messenger, to perform out-of-band, encrypted communications. They are only known to have performed only one double extortion attempt, and it was of a Brazilian construction conglomerate that also operates in other South American countries. We have listed the victim information, the sample hash we found and analyzed, and any other information we could find below.
|Construction & Architecture