Thousands Of Linux Servers Has Been Infected By a New Lilu Ransomware

A new ransomware named Lilu or Lilocked has infected thousands of Linux web servers making their files encrypted. The ransomware started infecting the web servers back in mid- July and has reached its peak in the last two weeks.

This ransomware attack came to the limelight when some users uploaded the Lilocked ransom note or demand on ID Ransomware. For your knowledge ID Ransomware is a website mainly used for identifying the name of the ransomware which infected the victim's system.

The Lilu ransomware targets the web servers and gains the root access. However, we are still unaware of the mechanism of this ransomware. A Russian speaking forum's thread says that the attackers are mainly targeting the Linux devices running outdated Exim software. Here, Exim is an email software.

What's the aim behind this ransomware attack?

The attackers want to make money by infecting the servers files and encrypting them. They are demanding 0.03 Bitcoin or 325 dollars from the victim for decrypting the infected file.

READ ⇒
GitHub Launched A New Version of "Actions" With CI/CD Support

lilocked-files

What actually happening is that when a web server gets attacked, the files stored in the servers are encrypted and includes a ".lilocked" file extension. There is also a note along with the encrypted files which read: “I’ve encrypted all your sensitive data!!! It’s a strong encryption, so don’t be naive to restore it;)”

website to decrypt locked files

You will find a key in the note which you need to enter or paste into the box provided when you visit the link given in the note. This link will take you to a web page on the dark web and when you enter the key here, you will be prompted to make a payment of 0.03 Bitcoin or 325 dollars in the Electrum wallet if you really want to get you all your files decrypted.

lilocked- payment demand

More About The Ransomware Attack

It is to be noted that Lilock ransomware does not infect the system files. But it does affect files with extensions like HTML, SHTML, JS, CSS, PHP, INI, and other image formats. As the system files are not getting affected by the ransomware, the infected Linux systems are running normally.

READ ⇒
How to activate the on-screen keyboard on Windows, Mac and Linux?

According to Benkow, a French security researcher more than 6,700 servers have been affected till now and it's still counting.

LEAVE A REPLY

Please enter your comment!
Please enter your name here