Lilocked Ransomware

Lilocked, or Lilu, is a newly observed ransomware targeting Linux-based web servers. As of the time of publication, as of mid September 2019 it has infected almost 7000 servers globally.

The ransomware was first reported by the malware researcher Micheal Gillespie. He observed the first case of Lilocked when a user uploaded a ransomware note to his ID Ransomware website.

At present it is unclear how Lilocked identifies target systems, although it appears to be affecting systems running a variety of services including mail, CMS, and hosting servers.

Once installed, Lilocked will encrypt all reachable non-system files before contacting a command and control server to confirm the encryption has been successful.

After a server was attacked, the files are encrypted with the “.lilocked” file extension. A copy of ransom note (named as #README.lilocked) can be found in the folders’, wherever this ransomware encrypts files. The ransom note accompanied with encrypted files reads: “I’ve encrypted all your sensitive data!!! It’s a strong encryption, so don’t be naive to restore it;). You can buy a decryption key for a small amount of Bitcoins! You have 7 days to decrypt your files or your data will be permanently lost!!!”.

Then the ransom note asks the affected user to click on a link. Once the link was clicked in the note, the users were redirected towards a portal on dark web, where they are instructed to enter the key from ransom note.

As the key was entered by the affected user, the Lilocked gang then displays the ransom demand. The ransom demand asks the victim to deposit 0.03 bitcoin (i.e. around $325) in Electrum wallet, so as to decrypt their files.

The way the ransomware breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.