September 30, 2023

A new ransomware operation Lilith, has emerged and already posted about its first victim on its leak site.

Lilith is C/C++ console-based ransomware created for targeting 64-bit Windows systems. Once running it tries to end processes that match entries on a hardcoded list. The list includes processes for Steam, Outlook, SQL, PowerPoint, Thunderbird, Firefox, and WordPad.


Once the encryption process starts, Lilith creates and drops ransom notes on all the folders one by one. The note gives three days to contact attackers or else the data will be leaked.

After the successful infection, the encryption process is started by using Windows cryptographic API, alongside Windows’s CryptGenRandom function to generate the random key. During encryption, it ignores several file extensions, such as EXE, DLL, and SYS.

It excludes a list of directories and specific file names from the encryption process. Lilith has an exclusion for ecdh_pub_k[.]bin, which saves the local public key of BABUK ransomware. It could be the remnant from the copied code, or maybe a link between the two ransomware.


After encryption, the ransomware adds the ‘.lilith’ file extension to encrypted files. After locking the important files stored on the system, the ransomware operators demand ransom for decryption.

Organizations are suggested to stay vigilant and implement adequate security in place, such as encrypting important data, and deploying reliable anti-malware solutions.

Leave a Reply

%d bloggers like this: