A ransomware strain named Lilocked or Lilu has been affecting thousands of Linux-based servers all over the world since mid-July and the attacks got intensified by the end of August, ZDNet reports.
Lilocked ransomware’s first case got noticed when Micheal Gillespie, a malware researcher uploaded a ransomware note on the website, ID Ransomware. This website is used for identifying the name of ransomware from the ransomware note or from the demand specified in the attack. It is still unknown as to how the servers have been breached.
#Ransomware Hunt: extension ".lilocked", note "#README.lilocked" – https://t.co/cvaSXon1nN pic.twitter.com/mc2m8rsDFR
— Michael Gillespie (@demonslay335) July 20, 2019
According to a thread on a Russian-speaking forum, attackers might be targeting those systems that are running outdated Exim (email) software. The forum also mentions that the ransomware managed to get root access to servers by “unknown means”.
Lilocked doesn’t encrypt system files, but it encrypts a small subset of file extensions, such as JS, CSS, HTML, SHTML, PHP, INI, and other image file formats so the infected servers are running normally. As per the French security researcher, Benkow, Lilocked has encrypted more than 6,700 servers, out of which many have been indexed and cached in Google search results. However, the number of affected servers is much higher. “Not all Linux systems run web servers, and there are many other infected systems that haven’t been indexed in Google search results,” ZDNet reports.
It is easy to identify the servers that have been affected by the ransomware as most of their files are encrypted and they sport a new “.lilocked” file extension.
The victims are first redirected to a portal on the dark web, where they are asked to enter a key from the ransom note and later are notified that their data has been encrypted. The victims are then asked to transfer 0.03 bitcoin, which is around $325.
May day! May day! #Lilocked aka #Lilu is active and on rampage targeting #servers and web sites, #encrypting the #data located on them.https://t.co/KZod35s4iW#CyberSecurity, #Ransomeware #Cybercrime #ITSecurity, #ITServices, #Awareness
— Dulen K (@dulenkp) September 6, 2019
Experts noticed a new cryptographer Lilocked (Lilu), which has already attacked more than 6K servers (only Linux) Affected servers are easy to detect – most files are encrypted and have the extension .lilocked #Zanket #Linux #Lilocked #Lilu #Hacker #Malware #CyberSecurity
— Zanket.com (@Zanket_com) September 9, 2019
To know more about the Lilocked ransomware in detail, head over to ZDNet.
Other interesting news in security
Intel’s DDIO and RDMA enabled microprocessors vulnerable to new NetCAT attack
StackRox App integrates into the Sumo Logic Dashboard for improved Kubernetes security