Notebookcheck Logo

Lilu/Lilocked ransomware has now infected thousands of Linux servers

An infected directory showing files with a ".lilocked" extension. Image via FOSSBytes
An infected directory showing files with a ".lilocked" extension. Image via FOSSBytes
Lilu (also known as Lilocked) is a relatively new ransomware that is specifically targeting Linux servers. The ransomware has been infecting systems since mid-July and has so far attacked at least 6700 systems. Lilu targets specific file types (like HTML, PHP, and image files) and alters their file extension to ".lilocked." The ransomware also leaves a note instructing affected users to access an Onion site and pay either 0.03 BTC or US $325 to decrypt file affected files.

Linux is known for two things in the computing world: its open-source constructions and its security. Since Linux is built differently than Windows, it is typically much harder to infect a Linux-based system with malware or ransomware. Even still, there’s a new breed of ransomware that is infecting an increasing amount of Linux servers. The Lilu (or Lilocked) ransomware now affects thousands of Linux servers worldwide.

There is not a lot known about the ransomware or how it works, but it seems to be specifically targeting Linux servers. Lilu will infect a server and locked specific files by changing their file type with a “.lilocked” extension. The attack also leaves a note that states:

I’VE ENCRYPTED ALL YOUR SENSITIVE DATA!!! IT’S A STRONG ENCRYPTION, SO DON’T BE NAIVE TO RESTORE IT;) [SIC]

YOU CAN BUY A DECRYPTION KEY FOR A SMALL AMOUNT OF BITCOINS!

YOU HAVE 7 DAYS TO DECRYPT YOUR FILES OR YOUR DATA WILL BE PERMANENTLY LOST!!!

The note includes an Onion site in which users can paste a key provided at the end of the note. After entering the key, users will be prompted to deposit either 0.03 BTC (~US $310.83 as of publication) or US $325 into an Electrum wallet. After the money is deposited, all of the user’s affected files will then be decrypted, also this has not been verified and relies fully on the promise of the malicious party.

The good news for affected users that, unlike similar attacks such as WannaCry, system files are left unaltered. Instead, Lilu seems to be targeting HTML, JS, CSS, PHP, and image files. While the attack is likely to derail development or media projects, it doesn’t seem to be affecting the Linux servers as a whole. To date, affected Linux systems are still able to operate normally. 

Current estimates peg the number of affected systems at about 6700. This estimate may be too low as many infected servers that have reported the malware are not indexed by Google or other search engines (i.e., deep and dark web servers). 

The exact mechanics of Lilu are still unknown, so there is currently no method to prevent or protect against the ransomware outside of user competency and awareness. As always, avoid opening suspicious or unknown links and files, and only download applications and dependencies from official repositories.

Source(s)

Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
Mail Logo
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2019 09 > Lilu/Lilocked ransomware has now infected thousands of Linux servers
Sam Medley, 2019-09- 8 (Update: 2019-09- 8)