RedAlert, LILITH, and 0mega, 3 new ransomware in the wild

Cyble researchers warn of three new ransomware operations named Lilith, RedAlert and 0mega targeting organizations worldwide.

Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega.

RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string with the same name in the ransom note. Unlike other ransomware operations, RedAlert only accepts ransom payments in Monero.

RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. It appends a  “.crypt[Random number]” extension to the filenames of encrypted files.

The Lilith ransomware is written in C/C++ and targets 64-bit Windows systems. The malware appends the “.lilith” extension to the filenames of encrypted files. The threat actors behind this operation adopt a double extortion model.

“Upon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its execution if any of them are running on the target’s machine. This step ensures that these processes do not block access to the files to be encrypted.” reads the analysis published by Cyble. “The ransomware searches for files to encrypt on the local system by enumerating the file directories using FindFirstFileW() and FindNextFileW() API functions. It ignores the file extensions such as EXE, DLL, and SYS and excludes a list of directory and file names from the encryption process.”

The Lilith ransomware encrypts files using a set of cryptographic APIs and a random key generated locally.

The 0mega ransomware is also targeting organizations worldwide using a double-extortion model.

The ransomware operation has been active at least since May 2022 and already claimed to have breached multiple organizations.

Victims of the ransomware reported that the malware adds the .0mega extension to the encrypted file’s names and creates for each victim a customized ransom note named DECRYPT-FILES.txt.

The operators behind this ransomware in some cases included in the ransom note details on how to disclose the attack to business partners and trade associations in case the victim will not pay the ransom.

Like other ransomware gangs, the operators use a payment negotiation site hosted on the Tor network.

Victims can contact the operators via the negotiation site by uploading the ransom note dropped on their systems, obviously, the note includes a unique identifier.

“Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by TAs besides implementing the requisite security best practices and security controls. Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost productivity. If the victim is unable or unwilling to pay the ransom, the TAs may leak or sell this data online, compromising sensitive user data for businesses and individuals and resulting in a loss of reputation for the affected organization(s).” concludes Cyble. “Throughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of this are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent threats.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]