July 14, 2022

A new ransomware operation has been launched under the name “Lilith.” The ransomware was discovered by JAMESWT. Lilith is a C/C++ console-based ransomware designed for 64-bit versions of Windows. The ransomware operation engage in double extortion attacks.

The analysis of Cyble researchers shows that before encryption process is initiated, Lilith creates and drops ransom notes on all the enumerated folders. The note threatens victims with public data exposure and gives them three days to contact the ransomware operators.

Once executed, Lilith will attempt to terminate processes that match entries on a hard-coded list, including Outlook, SQL, Thunderbird, Steam, PowerPoint, WordPad, Firefox, and more. Doing this free up valuable files from applications they are now likely to use, making them available for encryption.

Files excluded from encryption include EXE, DLL and SYS. Program files, web browsers and the folders in the recycle bin are also bypassed.

The researchers also noted that Lilith contains an exclusion for “ecdh_pub _k.bin,” which stores the local public key for BABUK ransomware infections. According to researchers, this could be a leftover from copied code, which could be an indication of a connection between the two ransomware strains.

The ransomware appends the “.lilith” file extension when files are encrypted, and the encryption takes place via the cryptographic API of Windows. The CryptoGenRandom function of Windows generates the random key.

The sources for this piece include an article in BleepingComputer.