[Virus/malware activity reported: Lilith ransomware]

In response to a breach believed to be in the form of Lilith ransomware,
we would like to confirm the situation and provide a warning as follows.

Lilith Ransomware

The ransomware is called LILTH and appears to be changing all files with the extension .Lilith.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Drop the file into the Temp folder location

  Create and run an executable file that performs file encryption actions in a temporary folder location.

  
  [Figure 3 File creation]

• Deleting shadow copies

  Delete shadow copies to prevent restoration of encrypted files

  
  [Figure 4 Deleting shadow copies]

Infection results

The information file is created in each folder with the name Restore_Your_Files.txt, and when encryption is performed, the files are changed to <encrypted file name.lilith>.

[Figure 5 Infection result 1]

[Figure 6 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

[Figure 8 Blocking details]

Watch the Lilith blocking video