Executive Summary
Cyble recently reported on Lilith Ransomware, which appends the .lilith extension to encrypted files.
Key Takeaways
- Lilith is written in C/C++ and targets Windows systems.
- Lilith selectively terminates processes so it can access files to encrypt.
- Lilith appends the .lilith extension to encrypted files.
- The threat actors behind Lilith use a double extortion tactic to coerce victims to pay a ransom.
Lilith ransomware, which targets 64-bit Windows systems, is a console-based x64 architecture executable written in C/C++. Lilith was originally discovered by JAMESWT, and analysis was published by Cyble. Cyble did not provide details on the initial infection chain. Once Lilith is executed, the ransomware looks for a list of hardcoded processes in a file, using “OpenSCManagerA()” API to access the service control manager database. If the process is detected on the victim machine, Lilith terminates the process, so it does not block access to the files to be encrypted.
The processes include the following:
- sql.exe
- oracle.exe
- ocssd.exe
- dbsnmp.exe
- synctime.exe
- agntsvc.exe
- isqlplussvc.exe
- xfssvccon.exw
- mydesktopservice.exe
- ocautoupds.exe
- encsvc.exe
- firefox.exe
- tbirdconfig.exe
- mydesktopqops.exe
- ocomm.exe
- dbeng50.exe
- sqbcoreservice.exe
- excel.exe
- infopath.exe
- msaccess.exe
- mspub.exe
- onenote.exe
- powerpnt.exe
- steam.exe
- thebat.exe
- thunderbird.exe
- visio.exe
- winword.exe
- wordpad.exe
- notepad.exe
Prior to encrypting a victim’s files, Lilith drops the ransom note Restore_Your_Files.txt in folders targeted for encryption. The ransom note uses double extortion tactics, with the threat actors threatening to leak stolen data if the ransom is not paid. Victims are given three days to negotiate a ransom price.
Lilith searches for files to encrypt, using FindFirstFileW() and FindNextFileW() to enumerate the directories. It ignores certain file extensions such as EXE, DLL, and SYS. Cyble noted Lilith also excludes the file ecdh_pub_k.bin, which contains the local public key for Babuk ransomware. For encryption, Lilith uses cryptographic APIs such as CryptAcquireContextW() and CryptGenRandom() from ADVAPI32.dll. Lilith appends the .lilith extension to encrypted files.
IOCs
PolySwarm has a sample of Lilith.
f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5
You can use the following CLI command to search for all Lilith samples in our portal:
$ polyswarm link list -f Lilith
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports