Another ransomware has made it to the news that is actively exploiting servers. Dubbed as Lilocked (or Lilu), the ransomware encrypts files stored on servers, including Linux servers. The attack vector, however, remains undetermined yet.
Lilocked Ransomware Attacking Servers
Researcher Michael Gillespie has pointed out a new ransomware variant. Identified as ‘Lilocked’ owing to the ‘.lilocked’ extension with which it encrypts the files, the ransomware is already active in the wild since July this year.
The researcher discovered this ransomware when he found its sample on his malware identifying service ‘ID ransomware’.
#Ransomware Hunt: extension “.lilocked”, note “#README.lilocked” – https://t.co/cvaSXon1nN pic.twitter.com/mc2m8rsDFR
— Michael Gillespie (@demonslay335) July 20, 2019
Until recently, Google shows over 6000 servers infected with Lilocked that also appear on Google search results.
The ransomware presently seems active for targeting Linux servers. Moreover, it is also infecting websites according to BleepingComputer and the files they have analysed.
Nonetheless, according to ZDNet, this can’t be taken for granted as not all Linux systems run web servers. Plus, many infected systems do not appear in Google search results.
Malware Entry Point Undetermined
Unfortunately, not much information is available regarding Lilu ransomware. This also includes the mode of entry of the malware to the target systems. One of the Lilocked victims suspected that the malware may exploit Exim to target servers.
Hit the server by order of last user logged in and that user’s directories. Used an Exim exploit.
The affected system was taken offline and replaced, but a copy of it is preserved. Happy to see if the ransomware was actually stored on the drive rather than just in memory.
— Jay Gairson (@maztec) August 5, 2019
As per the details known until now, upon entering a target device, it begins encrypting files with ‘.lilocked’ extension. It then places a copy of the ransom note ‘#README.lilocked’ in every folder it encrypts. The note directs the victim to the attacker’s Tor site for paying the ransom. This site also requires the visitor to enter a key mentioned in the ransom note.
The ransom demanded remains in an average user “payable” range, as the attackers asked for something between 0.01 or 0.03 Bitcoins (around 100 to 300 USD).
What makes Lilu different from other ransomware is that it does not encrypt system files. Rather it basically targets a small subset of file extensions such as .shtml, .jpg, and php.ini files (as observed from the samples).
For now, since the attack vector of the ransomware remains unknown, server owners must ensure robust generic security to prevent such attacks.