A ransomware strain named Lilocked or Lilu has been affecting thousands of Linux-based servers all over the world since mid-July and the attacks got intensified by the end of August, ZDNet reports.
Lilocked ransomware’s first case got noticed when Micheal Gillespie, a malware researcher uploaded a ransomware note on the website, ID Ransomware. This website is used for identifying the name of ransomware from the ransomware note or from the demand specified in the attack. It is still unknown as to how the servers have been breached.
https://twitter.com/demonslay335/status/1152593459225739265
According to a thread on a Russian-speaking forum, attackers might be targeting those systems that are running outdated Exim (email) software. The forum also mentions that the ransomware managed to get root access to servers by “unknown means”.
Read Also: Exim patches a major security bug found in all versions that left millions of Exim servers vulnerable to security attacks
Lilocked doesn't encrypt system files, but it encrypts a small subset of file extensions, such as JS, CSS, HTML, SHTML, PHP, INI, and other image file formats so the infected servers are running normally. As per the French security researcher, Benkow, Lilocked has encrypted more than 6,700 servers, out of which many have been indexed and cached in Google search results. However, the number of affected servers is much higher. “Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results,” ZDNet reports.
It is easy to identify the servers that have been affected by the ransomware as most of their files are encrypted and they sport a new ".lilocked" file extension.
Image Source: ZDNet
Read Also: Exim patches a major security bug found in all versions that left millions of Exim servers vulnerable to security attacks
The victims are first redirected to a portal on the dark web, where they are asked to enter a key from the ransom note and later are notified that their data has been encrypted. The victims are then asked to transfer 0.03 bitcoin, which is around $325.
https://twitter.com/dulenkp/status/1170091139510218752
https://twitter.com/Zanket_com/status/1171089344460972032
To know more about the Lilocked ransomware in detail, head over to ZDNet.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
Other interesting news in security
Intel’s DDIO and RDMA enabled microprocessors vulnerable to new NetCAT attack
Endpoint protection, hardening, and containment strategies for ransomware attack protection: CISA recommended FireEye report Highlights
StackRox App integrates into the Sumo Logic Dashboard for improved Kubernetes security