The new Lilith ransomware victimises via double extortion attacks

July 19, 2022
New Lilith Ransomware Double Extortion Cyberattacks Dark Web

Dark web investigators recently identified a new ransomware operation called Lilith after its operators posted their first victim on their leak site for double extortion campaigns.

The new Lilith ransomware is designed for the 64-bit Windows version and is a C/C++ console-based payload. According to the initial studies on the new ransomware, its operators conduct a double extortion attack wherein they first steal victims’ data before encrypting their infected machines.


Similar to Lilith, two other ransomware variants had recently emerged in the cybercrime landscape, which include the RedAlert and 0mega ransomware – both victimising their targets via double extortion attacks.


Once launched in an affected computer, the Lilith ransomware would begin by terminating processes such as Outlook, Microsoft Office, Steam, and Firefox, among others. Researchers believe that the Lilith ransomware does this because terminating these processes could free up any important files from the mentioned apps and make them available to be encrypted.

Lilith also drops ransom notes before it triggers the encryption process. From the note, the threat operators would give the targets a maximum of three days to contact them, or else they would leak the stolen data to the public.

Moreover, several file types are excluded from Lilith’s encryption process, including exe, dll, and sys. Some web browsers, the program files, and the recycle bin are also excluded. Researchers also link the Lilith ransomware with Babuk after finding that it excludes file storage of the latter’s local public key infections from encryption.

Lilith’s encryption process will use Windows’ cryptographic API, while the Windows’ CryptGenRandom function would produce the random key. All files encrypted by the Lilith ransomware are appended with the [.]Lilith file extension.

The threat operators had already removed the first victim from their leak site, which researchers said to be a construction firm from South America. Typically, these threat operators remove their victims’ data if they have reached a mutual agreement – likely towards the hackers’ favours.

Since the Lilith ransomware is yet in its earliest stage of double extortion campaigns, experts and organisations must stay cautious about its potential threats. Furthermore, as most of these new variants are rebrands from old strains, they must be well-knowledgeable about evading authorities and some other critical intricacies of performing cyberattacks.

About the author

Leave a Reply