A new kind of ransomware variant named Lilocked (or Lilu) has been targeting Linux-based servers incripting files stored on them with .lilocked extension. The attacks have been happening since mid-July, and have intensified in the past two weeks. The new strain was first reported at the end of July by the malware researcher Michael Gillespie after a sample has been uploaded to his ID Ransomware service. Currently, it appears that the Lilocked ransomware targets Linux-based systems only.

At the moment it is unclear how exactly Lilocked’s operators infect their victims. Some users on Russian-speaking forum speculated that the hackers have been targeting systems running outdated versions of Exim software. A thread also mentions that the ransomware somehow managed to get root access to servers.

The ransomware encrypts files and appends the .lilocked extension to the file name, then it drops a ransom note named #README.lilocked. The ransom note instructs victims on how to make a payment via a Tor payment portal and also provides a key to log in to the payment site. Once the victim logged in the portal displays the second ransom note asking users for 0.03 bitcoin (roughly $306 at the time of writing) in exchange for encryption key.

Good news is that Lilocked doesn’t encrypt system files, but only a small subset of file extensions such as HTML, JS, CSS, PHP, INI, SHTML and all image formats. According to researchers, Lilocked has encrypted more than 6,700 servers, and many of them have been indexed and cached in Google search results. However, it is suspected that the number of victims could be much higher.