Thousands of servers infected with the Lilocked Ransomware

September 7, 2019  By Pierluigi Paganini


A new ransomware tracked as Lilocked (or Lilu) by researchers is actively targeting servers and encrypting the data stored on them.

The Lilocked ransomware has already infected thousands of Linux-based web servers since mid-July.

The Lilocked ransomware was first reported at the end of July by the popular malware researcher Michael Gillespie after a sample has been  uploaded to his ID Ransomware service.

The infection caused the encrypted files to appear in the Google search results.

According to the Tweet user Jay Gairson, who discovered that his web server, was compromised by this ransomware, the malware leverages an Exim exploit to target the servers.

This thesis is also supported on a thread on a Russian-speaking forum that speculates the hackers have been targeting systems running outdated Exim software.

At the time of writing security experts are searching for a Lilocked sample to analyze to shed the light on its infection process.

The ransomware encrypts files and appends the .lilocked extension to the file name, then it drops a ransom note named #README.lilocked.

The ransom note instructs victims on how to make ransom payments through a Tor payment portal, it also includes a key to log in to the payment site.

Source: BleepingComputer

The payment portal includes detailed instructions to pay the ransom, including the bitcoin address and ransom amount, that is approximately $100 USD worth of Bitcoin.

“At this time, there is no known way to decrypt files encrypted by Lilu, but if a sample is discovered that may change.” reads the post published by BleepingComputer.

“BleepingComputer has also reached out to the contact email listed on the Tor site with questions, but had not heard back at the time of this publication.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lilocked, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

CVE-2019-15846 Exim mail server flaw allows Remote Code Execution

 A security flaw in Exim mail servers could be exploited by local or remote attackers to execute arbitrary code with root...