9 September 2019

Lilocked (Lilu) ransomware hits thousands of Linux servers


Lilocked (Lilu) ransomware hits thousands of Linux servers

A new kind of ransomware variant named Lilocked (or Lilu) has been targeting Linux-based servers incripting files stored on them with .lilocked extension. The attacks have been happening since mid-July, and have intensified in the past two weeks. The new strain was first reported at the end of July by the malware researcher Michael Gillespie after a sample has been uploaded to his ID Ransomware service. Currently, it appears that the Lilocked ransomware targets Linux-based systems only.

At the moment it is unclear how exactly Lilocked’s operators infect their victims. Some users on Russian-speaking forum speculated that the hackers have been targeting systems running outdated versions of Exim software. A thread also mentions that the ransomware somehow managed to get root access to servers.

The ransomware encrypts files and appends the .lilocked extension to the file name, then it drops a ransom note named #README.lilocked. The ransom note instructs victims on how to make a payment via a Tor payment portal and also provides a key to log in to the payment site. Once the victim logged in the portal displays the second ransom note asking users for 0.03 bitcoin (roughly $306 at the time of writing) in exchange for encryption key.

Good news is that Lilocked doesn’t encrypt system files, but only a small subset of file extensions such as HTML, JS, CSS, PHP, INI, SHTML and all image formats. According to researchers, Lilocked has encrypted more than 6,700 servers, and many of them have been indexed and cached in Google search results. However, it is suspected that the number of victims could be much higher.  

 

Back to the list

Latest Posts

Emotet increasingly targets US Military and Government

Emotet increasingly targets US Military and Government

After a brief respite over the winter holidays the Emotet malware resumes its activity.
17 January 2020
Ryuk ransomware “wakes up” turned off devices using Wake-on-Lan feature

Ryuk ransomware “wakes up” turned off devices using Wake-on-Lan feature

The Ryuk operators have evolved their tactic to ensure better encryption.
16 January 2020
Microsoft Patch Tuesday Overview for January 2020

Microsoft Patch Tuesday Overview for January 2020

Microsoft has released patches for 49 vulnerabilities and fixed a highly dangerous spoofing flaw.
15 January 2020