Lilith is the name of a newly discovered strain of ransomware. The new release does not seem to belong to any particular big family of ransomware variants.
Lilith will encrypt files on the system that it targets, scrambling their contents and renaming them. Affected files include media, document, archive and database file types. Once encrypted, the files receive the ".lilith" extension appended past their old one. This means that a file formerly named "photo.jpg" will transform into "photo.jpg.lilith" once it has been encrypted.
The ransom note is dropped inside a file named "Restore_Your_Files.txt", which is placed on the desktop. The ransom note threatens extortion and claims files were exfiltrated before encryption. Similar double extortion tactics have more or less become the norm with ransomware in 2022.
The full text of the note is as follows:
All your important files have been encrypted and stolen!
Contact us for price and get decryption software.
You have 3 days to contact us for negotiation.
If you don't contact within three days, we'll start leaking data.
1) Contact our tox.
Tox download address: hxxps://tox.chat/
Our poison ID:
* Note that this server is available via Tor browser only
Follow the instructions to open the link:
1. Type the addres "hxxps://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open :
hxxp://[onion address string].onion