Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest

Thousands of servers infected with new Lilocked (Lilu) ransomware

SwissMiss

By SwissMiss
in Security & Privacy News

Recommended Posts

SwissMiss

SwissMiss

Posted
Posted

Thousands of servers infected with new Lilocked (Lilu) ransomware

Researchers spot new ransomware targeting Linux-based servers.

 

Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu).

 

Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned.

 

Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only.

 

First reports date to mid-July, after some victims uploaded the Lilocked ransom note/demand on ID Ransomware, a website for identifying the name of the ransomware that infected a victim's system.

 

#Ransomware Hunt: extension ".lilocked", note "#README.lilocked" - https://t.co/cvaSXon1nN pic.twitter.com/mc2m8rsDFR

— Michael Gillespie (@demonslay335) July 20, 2019

 

The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

 

Servers hit by this ransomware are easy to spot because most of their files are encrypted and sporting a new ".lilocked" file extension -- see image below.

 

lilocked-victim.png

Image: ZDNet

 

A copy of the ransom note (named #README.lilocked) is available in each folder where the ransomware encrypts files.

 

lilocked-note.png

Image: ZDNet

 

Users are redirected to a portal on the dark web, where they're instructed to enter a key from the ransom note. Here, the Lilocked gang displays a second ransom demand, asking victims for 0.03 bitcoin (roughly $325).

 

lillocked-tor-1.png

Image: ZDNet

 

lilocked-tor-2.png

Image: ZDNet

 

Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats.

 

This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results.

 

lilocked-search.png

Image: ZDNet

 

However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results.

 

Because the initial entry point for this threat remains a mystery, it's impossible to provide anything but generic security advice to server owners -- who are advised to use unique passwords for all their accounts and keep applications up to date with security patches.

 

The Lilocked gang did not reply to a request for comment sent to the email address they're listing in the ransom note.

 

 

Source: Thousands of servers infected with new Lilocked (Lilu) ransomware

Link to comment
Share on other sites
  • Views 565
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...