Cyber Threat Actor: Lilith
| Actor Type | Location | Known Incidents |
Criminal
|
France
|
1 incident |
|---|
Profile
The threatactor tracked under the alias Lilith has been identified as operating from France, according to the limited public information available. Lilith emerged into public view on July 4, 2022, when it claimed responsibility for a ransomware attack against a French public reinsurer that specializes in natural disaster coverage. The actor posted a statement on its own dedicated platform, announcing the compromise and threatening to release more than one terabyte of data that had been exfiltrated from the victim’s networks. After a few days, the claim was removed from that platform, while cybersecurity researchers began to collect and analyze samples of the ransomware used in the incident.
The victim organization functions within the insurance and reinsurance industry, providing coverage for natural disaster risks to clients located primarily in France. During the attack, the ransomware encrypted files on the compromised systems and appended the distinctive .Lilith extension to each encrypted file, a detail noted by analysts examining the malware. In addition to file encryption, the actor’s message indicated that the stolen data would be published, a detail highlighted in the public claim made on the actor’s platform. No public disclosures have described the initial infection vector, the specific delivery mechanism, or any ancillary tools employed alongside the ransomware payload.
To date, the July 2022 ransomware event remains the sole publicly reported operation linked to the Lilith alias, with no further campaigns or incidents attributed to the group in open sources. The combination of the alias Lilith, the French operational nexus, and the use of the .Lilith file extension constitutes the primary set of observable identifiers for this threat actor. Because the targeted reinsurer did not release an official statement during the early media coverage, the full scope of the disruption, data loss, or financial consequences remains unspecified in the available reporting. As a result, any profile of Lilith must be confined to the confirmed facts of the single incident and the technical artifact associated with it.
