Lilu (Lilocked) Ransomware Started Infecting Thousands of Linux Servers Back to Back

The very first case of Lilocked ransomware came to light when a user uploaded a ransomware note on ID Ransomware, a website used for identifying the name of ransomware from the ransomware note or demand specified in the attack.

It targets servers and gains its root access. The mechanism behind however it gets access in unknown yet.

According to a Russian forum, bad actors might be targeting Linux-based servers that are running defunct Exim software.

Demand – 0.03 Bitcoin

After a server has been attacked, the files are locked with “.lilocked” file extension.

The note accompanied with the encrypted files reads: “I’ve encrypted all your sensitive data!!! It’s a strong encryption, so don’t be naive to restore it;)”

Upon clicking the link in the note, users are redirected to a website on the dark web, prompting them to enter the key in the note. When the affected user enters the key, they are asked to deposit 0.03 bitcoin or $325 in the Electrum wallet to get their files decrypted.

Lilock ransomware does not affect system files but files with extensions including HTML, SHTML, JS, CSS, PHP, INI, and other image formats. Since system files are not affected, Linux systems are running normally.