{
	"id": "27158202-07d4-4849-b426-f9c39e479900",
	"created_at": "2026-04-06T00:13:19.512906Z",
	"updated_at": "2026-04-10T03:21:38.420041Z",
	"deleted_at": null,
	"sha1_hash": "ec694b8e26248596bddf5f0d6617822b537d0201",
	"title": "New Ransomware Groups on the Rise: Key Trends and Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1667438,
	"plain_text": "New Ransomware Groups on the Rise: Key Trends and Threats\r\nBy cybleinc\r\nPublished: 2022-07-12 · Archived: 2026-04-05 22:36:36 UTC\r\nCyble analyzes new ransomware families spotted in the wild led by notable examples such as LILITH, RedAlert,\r\nand 0Mega.\r\n“RedAlert,” LILITH and 0mega leading a wave of Ransomware Campaigns\r\nRansomware is one of the most serious cybersecurity problems on the internet and possibly the most potent form\r\nof cybercrime plaguing organizations today. It has quickly become one of the most prominent and profitable types\r\nof malware for Threat Actors (TAs).\r\nIn a typical scenario, the ransomware infection starts with the TA gaining access to the target device. Depending\r\non the type of ransomware, it can infect the entire operating system or encrypts individual files. The TAs will then\r\ntypically demand payment from the victim for the decryption of their files.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nMultiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs\r\nfor monetary gains. A few of them include:\r\nRedAlert Ransomware\r\nRedAlert or N13V is a new ransomware strain that targets both Windows and Linux VMWare ESXi servers on\r\ncorporate networks. The ransomware stops all running virtual machines and encrypts any file related to virtual\r\nmachines, such as virtual disks. RedAlert Ransomware was named after a string with the same name in the\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 1 of 11\n\nransom note, but threat actors named their campaign “N13V. RedAlert only accepts ransom payments in Monero,\r\nwhich is rather atypical for ransomware groups.\r\nRedAlert ransomware has manual operations, which means TAs execute the ransomware after a complete takeover\r\nof the victim system. The ransomware binary provides various options to the TAs for performing pre-encryption\r\noperations such as stopping all virtual machines running on VMware ESXi, Asymmetric cryptography\r\nperformance tests, etc.\r\nThe ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware only\r\ntargets log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of\r\nVMware ESXi virtual machines. After encryption the ransomware appends a  “.crypt[Random number]”\r\nextension to the file.\r\nThe figure below shows the leak site of RedAlert ransomware.\r\nFigure 1 – RedAlert Ransomware Leak Site\r\n0mega Ransomware\r\nAnother new ransomware gang, “0mega,” is suspected of targeting organizations using Double Extortion\r\ntechniques. The indicators of compromise of this ransomware strain are unavailable in the wild.\r\nStill, as per researchers’ comments, the ransomware appends the files with the “.0mega” extension and creates\r\nransom notes named “DECRYPT-FILES.txt.”\r\nThe figure below shows the 0mega Ransomware data leak site.\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 2 of 11\n\nFigure 2 – 0mega Ransomware Leak Site\r\nLilith Ransomware\r\nRansomware operators now have another new tool at their disposal, named Lilith Ransomware. This threat can\r\naffect many file types and render them completely unusable.\r\nLilith ransomware encrypts files on the victim’s machine and appends the extension of encrypted files as “.lilith.”\r\nAfterward, a ransom note is created on the system to demand payment.\r\nIn this report, Cyble Research Labs conducts a deep analysis of Lilith ransomware to understand its behavior and\r\ninfection mechanism.\r\nTechnical Analysis: Lilith Ransomware\r\nStatic analysis indicates that the Lilith ransomware file is a console-based x64 architecture executable written in\r\nC/C++, as shown below.\r\nFigure 3 – Static information of LILITH Ransomware\r\nUpon execution, Lilith ransomware initially searches for a list of hardcoded processes in the file and terminates its\r\nexecution if any of them are running on the target’s machine. This step ensures that these processes do not block\r\naccess to the files to be encrypted.\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 3 of 11\n\nThe below figure shows the APIs used to kill the process execution by the ransomware.\r\nFigure 4 – APIs used to Terminate Process Execution\r\nA full list of hardcoded process names is shown in the below figure.\r\nFigure 5 – List of Processes for Termination\r\nTo identify the services running in the machine, the ransomware first calls “OpenSCManagerA()” API, which\r\nestablishes a connection to the service control manager that gives the TAs access to the service control manager\r\ndatabase.\r\nUpon gaining access to this database, the following APIs() will be called:\r\nOpenServiceA() – Opens the specified service.\r\nQueryServiceStatusEx() – Gets the status of the service.\r\nEnumDependentServiceA() – Retrieves the dependent services.\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 4 of 11\n\nControlService() – takes control of the service for stopping.\r\nIf the “OpenSCManagerA()” API fails to get the handle to Service Control Manager (SCM), then the ransomware\r\nskips calling the below service-related APIs.\r\nFigure 6 – Service-Related APIs\r\nAfter that, the ransomware enumerates and gets the system drive information of the victim’s machine by using the\r\nbelow APIs such as GetDriveTypeW(), FindFirstVolumeW(), and FindNextVolumeW().\r\nFigure 7 – System Drive Related APIs\r\nBefore initiating the encryption process, the ransomware drops the ransom note in multiple folders with the file\r\nname “Restore_Your_Files.txt.” The ransomware creates a ransom note with the content shown in the figure\r\nbelow.\r\nFigure 8 – Malware Writes Ransom Notes\r\nThe ransomware searches for files to encrypt on the local system by enumerating the file directories using\r\nFindFirstFileW() and FindNextFileW() API functions. It ignores the file extensions such as EXE, DLL, and SYS\r\nand excludes a list of directory and file names from the encryption process (Figure 9).\r\nInterestingly, the exclusion list contains the filename “ecdh_pub_k.bin,” which stores the local public key of\r\nBABUK ransomware for file decryption.\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 5 of 11\n\nFigure 9 – Exclusion List of Folder and File names\r\nThe malware uses cryptographic APIs such as CryptAcquireContextW() and CryptGenRandom() from\r\nADVAPI32.dll to encrypt victims’ files. The ransomware generates a random key with the function\r\n“CryptGenRandom()” and then encrypts the files using an encryption routine as shown below.\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 6 of 11\n\nFigure 10 – Encryption Routine\r\nThe figure below shows the WriteFile operation and the original/infected file content before and after encryption.\r\nFigure 11 – WriteFile() Operation\r\nFinally, the malware renames the encrypted file with the “.lilith” extension and replaces it with the original file by\r\nusing the “MoveFileExW()” API, as shown below.\r\nFigure 12 – MoveFileExW() API\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 7 of 11\n\nThe below figure shows the encrypted files by Lilith ransomware after the successful infection of a victim’s\r\nmachine.\r\nFigure 13 – Files Encrypted by Lilith Ransomware\r\nIn the dropped ransom note, victims are given three days to negotiate the price with the TAs for the decryption\r\nsoftware. At the end of this deadline, the TAs threaten to begin leaking personal data if the ransom is not paid.  \r\nThe ransom note also contains the poison ID for TOX communication and the Onion URL of the leak site page –\r\nshown in the figure below.\r\nFigure 14 – Ransom Note\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 8 of 11\n\nThe figure below shows the Onion leak site home page of Lilith ransomware.\r\nFigure 15 – Onion Leak Site\r\nConclusion\r\nRansomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of\r\nthe techniques used by TAs besides implementing the requisite security best practices and security controls.\r\nRansomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and\r\nlost productivity. If the victim is unable or unwilling to pay the ransom, the TAs may leak or sell this data online,\r\ncompromising sensitive user data for businesses and individuals and resulting in a loss of reputation for the\r\naffected organization(s). \r\nThroughout 2021 and 2022, we have observed record levels of ransomware activity. While notable examples of\r\nthis are rebrands of existing groups, newer groups like LILITH, RedAlert, and 0mega are also proving to be potent\r\nthreats.\r\nCyble Research Labs continuously monitors new ransomware campaigns and will keep our readers updated.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nSafety Measures Needed to Prevent Ransomware Attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 9 of 11\n\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers Should Take the Following Steps After the Ransomware Attack\r\nDetach infected devices on the same network.\r\nDisconnect external storage devices if connected.\r\nInspect system logs for suspicious events.\r\nImpacts And Cruciality of Ransomware\r\nLoss of Valuable data.\r\nLoss of the organization’s reputation and integrity.\r\nLoss of the organization’s sensitive business information.\r\nDisruption in organization operation.\r\nFinancial loss.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution T1204 User Execution\r\nDiscovery\r\nT1012\r\nT1082\r\nT1083\r\nQuery Registry\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nImpact T1486 Data Encrypted for Impact\r\nIndicator Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nb7a182db3ba75e737f75bda1bc76331a\r\ncf0fe28214ad4106c48ec5867327319eaa82b3c3\r\nf3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5\r\nMD5\r\nSHA1\r\nSha256\r\nLILITH\r\nRansomware\r\nx64 EXE\r\nfile\r\nf2fa9a3ce883a7f5b43ba5c9ff7bdf75\r\nda6a7e9d39f6a9c802bbd1ce60909de2b6e2a2aa\r\nMD5\r\nSHA1\r\nRedAlert\r\nRansomware\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 10 of 11\n\n039e1765de1cdec65ad5e49266ab794f8e5642adb\r\n0bdeb78d8c0b77e8b34ae09\r\nSha256 Linux file\r\n(elf)\r\nSource: https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nhttps://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/\r\nPage 11 of 11\n\n https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/    \nFigure 9-Exclusion List of Folder and File names   \nThe malware uses cryptographic APIs such as CryptAcquireContextW()  and CryptGenRandom() from\nADVAPI32.dll to encrypt victims’ files. The ransomware generates a random key with the function\n“CryptGenRandom()” and then encrypts the files using an encryption routine as shown below.\n   Page 6 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/"
	],
	"report_names": [
		"new-ransomware-groups-on-the-rise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec694b8e26248596bddf5f0d6617822b537d0201.pdf",
		"text": "https://archive.orkl.eu/ec694b8e26248596bddf5f0d6617822b537d0201.txt",
		"img": "https://archive.orkl.eu/ec694b8e26248596bddf5f0d6617822b537d0201.jpg"
	}
}