9 September 2019

Lilocked (Lilu) ransomware hits thousands of Linux servers

Lilocked (Lilu) ransomware hits thousands of Linux servers

A new kind of ransomware variant named Lilocked (or Lilu) has been targeting Linux-based servers incripting files stored on them with .lilocked extension. The attacks have been happening since mid-July, and have intensified in the past two weeks. The new strain was first reported at the end of July by the malware researcher Michael Gillespie after a sample has been uploaded to his ID Ransomware service. Currently, it appears that the Lilocked ransomware targets Linux-based systems only.

At the moment it is unclear how exactly Lilocked’s operators infect their victims. Some users on Russian-speaking forum speculated that the hackers have been targeting systems running outdated versions of Exim software. A thread also mentions that the ransomware somehow managed to get root access to servers.

The ransomware encrypts files and appends the .lilocked extension to the file name, then it drops a ransom note named #README.lilocked. The ransom note instructs victims on how to make a payment via a Tor payment portal and also provides a key to log in to the payment site. Once the victim logged in the portal displays the second ransom note asking users for 0.03 bitcoin (roughly $306 at the time of writing) in exchange for encryption key.

Good news is that Lilocked doesn’t encrypt system files, but only a small subset of file extensions such as HTML, JS, CSS, PHP, INI, SHTML and all image formats. According to researchers, Lilocked has encrypted more than 6,700 servers, and many of them have been indexed and cached in Google search results. However, it is suspected that the number of victims could be much higher.  

 

Back to the list

Latest Posts

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019
Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

The new Emotet campaign targeеы Germany, the United Kingdom, Poland, Italy, and the USA.
17 September 2019