article featured image


The Lilith virus is the name of a ransomware threat. The primary objective of this kind of malware is to get access to your computer so that it may begin encrypting your information. This is done so that the virus may blackmail you with a ransom letter in order to get money from you. If victims of the Lilith virus wish to regain access to their data, they are required to pay a significant sum of money in the form of bitcoin.

JAMESWT was the one who uncovered Lilith, a console-based kind of ransomware written in C/C++ and intended for 64-bit editions of Windows. Lilith, much like the majority of ransomware operations that are being launched today, engages in double-extortion assaults. This refers to the practice through which threat actors take data before encrypting devices.

What Happened?

A new ransomware campaign known as “Lilith” has already been initiated, and it has already released information on its first victim on a data leak website that was developed to facilitate double-extortion assaults.

According to a paper that was compiled by experts at Cyble who studied Lilith, the newest member of the family does not bring with it any innovations. Despite this, it is one of the most recent dangers that should be watched out for, along with RedAlert and 0mega, all of which debuted quite lately.

Ransomware operators now have another new tool at their disposal, named Lilith Ransomware. This threat can affect many file types and render them completely unusable.

Lilith ransomware encrypts files on the victim’s machine and appends the extension of encrypted files as “.lilith.” Afterward, a ransom note is created on the system to demand payment.

In this report, Cyble Research Labs conducts a deep analysis of Lilith ransomware to understand its behavior and infection mechanism.


Whenever Lilith is executed, it makes an effort to close down programs that correspond to items on a predetermined list. Some of these programs include Outlook, SQL, Thunderbird, Steam, PowerPoint, WordPad, and Firefox, among others.

This frees up important files from any apps that may be utilizing them at the time, making it possible to encrypt them once they have been made accessible.

Before Lilith begins the encryption process, she generates ransom notes and leaves them on each of the files that have been enumerated.

The ransom message allows the victims three days to contact the ransomware perpetrators on the specified Tox chat handle. If they do not, the victims are threatened with having their data made public.

EXE, DLL, and SYS files are not encrypted, and the Program Files folder, web browsers, and the Recycle Bin folder are also circumvented by the encryption.

It is interesting to note that Lilith also has a protection against the file ‘ecdh pub k.bin,’ which is used by BABUK ransomware infestations to keep their local public key.

There is a possibility that this is a relic of code that was duplicated, and as such, it may be a clue that the two varieties of ransomware are connected.

In the end, the encryption is performed by using the Windows cryptographic API, while the random key is generated via the CryptGenRandom function that is included in Windows.

When files are encrypted by the ransomware, the “.lilith” file extension is added to the end of each one, as seen below.

How Can Heimdal Help?

Ransomware is one of the most frequent and deadly cyber dangers that exist today, and it has the potential to be devastating in its repercussions. Learning how to avoid it should be a top priority for any organization that is concerned about the safety of its workers, customers, partners, assets, money, and business processes, among other things.

To combat ransomware, you can benefit from the outstanding integrated cybersecurity suite that includes the Ransomware Encryption Protection module, which is universally compatible with any antivirus solution and is completely signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or data-based (including the most recent ones like LockFile).

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *