A new ransomware named Lilu or Lilocked has infected thousands of Linux web servers making their files encrypted. The ransomware started infecting the web servers back in mid- July and has reached its peak in the last two weeks.
This ransomware attack came to the limelight when some users uploaded the Lilocked ransom note or demand on ID Ransomware. For your knowledge ID Ransomware is a website mainly used for identifying the name of the ransomware which infected the victim's system.
The Lilu ransomware targets the web servers and gains the root access. However, we are still unaware of the mechanism of this ransomware. A Russian speaking forum's thread says that the attackers are mainly targeting the Linux devices running outdated Exim software. Here, Exim is an email software.
What's the aim behind this ransomware attack?
The attackers want to make money by infecting the servers files and encrypting them. They are demanding 0.03 Bitcoin or 325 dollars from the victim for decrypting the infected file.
What actually happening is that when a web server gets attacked, the files stored in the servers are encrypted and includes a ".lilocked" file extension. There is also a note along with the encrypted files which read: “I’ve encrypted all your sensitive data!!! It’s a strong encryption, so don’t be naive to restore it;)”
You will find a key in the note which you need to enter or paste into the box provided when you visit the link given in the note. This link will take you to a web page on the dark web and when you enter the key here, you will be prompted to make a payment of 0.03 Bitcoin or 325 dollars in the Electrum wallet if you really want to get you all your files decrypted.
More About The Ransomware Attack
It is to be noted that Lilock ransomware does not infect the system files. But it does affect files with extensions like HTML, SHTML, JS, CSS, PHP, INI, and other image formats. As the system files are not getting affected by the ransomware, the infected Linux systems are running normally.
According to Benkow, a French security researcher more than 6,700 servers have been affected till now and it's still counting.