The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lilith Ransomware

Aug 4, 2022 2:37:11 PM / by PolySwarm Tech Team


Executive Summary

Cyble recently reported on Lilith Ransomware, which appends the .lilith extension to encrypted files.

Key Takeaways

  • Lilith is written in C/C++ and targets Windows systems.
  • Lilith selectively terminates processes so it can access files to encrypt.
  • Lilith appends the .lilith extension to encrypted files.
  • The threat actors behind Lilith use a double extortion tactic to coerce victims to pay a ransom.
What is Lilith?

Lilith ransomware, which targets 64-bit Windows systems, is a console-based x64 architecture executable written in C/C++. Lilith was originally discovered by JAMESWT, and analysis was published by Cyble. Cyble did not provide details on the initial infection chain. Once Lilith is executed, the ransomware looks for a list of hardcoded processes in a file, using “OpenSCManagerA()” API to access the service control manager database. If the process is detected on the victim machine, Lilith terminates the process, so it does not block access to the files to be encrypted.

The processes include the following:
  • sql.exe
  • oracle.exe
  • ocssd.exe
  • dbsnmp.exe
  • synctime.exe
  • agntsvc.exe
  • isqlplussvc.exe
  • xfssvccon.exw
  • mydesktopservice.exe
  • ocautoupds.exe
  • encsvc.exe
  • firefox.exe
  • tbirdconfig.exe
  • mydesktopqops.exe
  • ocomm.exe
  • dbeng50.exe
  • sqbcoreservice.exe
  • excel.exe
  • infopath.exe
  • msaccess.exe
  • mspub.exe
  • onenote.exe
  • powerpnt.exe
  • steam.exe
  • thebat.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe
  • notepad.exe

Prior to encrypting a victim’s files, Lilith drops the ransom note Restore_Your_Files.txt in folders targeted for encryption. The ransom note uses double extortion tactics, with the threat actors threatening to leak stolen data if the ransom is not paid. Victims are given three days to negotiate a ransom price.

Lilith searches for files to encrypt, using FindFirstFileW() and FindNextFileW() to enumerate the directories. It ignores certain file extensions such as EXE, DLL, and SYS. Cyble noted Lilith also excludes the file ecdh_pub_k.bin, which contains the local public key for Babuk ransomware. For encryption, Lilith uses cryptographic APIs such as CryptAcquireContextW() and CryptGenRandom() from ADVAPI32.dll. Lilith appends the .lilith extension to encrypted files.


PolySwarm has a sample of Lilith.


You can use the following CLI command to search for all Lilith samples in our portal:

$ polyswarm link list -f Lilith

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Ransomware, Lilith, Lilithcrypt

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts