Thousands Of Servers Infected With New Lilocked (Lilu) Ransomware



lilocked

Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu).

Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only.

First reports date to mid-July, after some victims uploaded the Lilocked ransom note/demand on ID Ransomware, a website for identifying the name of the ransomware that infected a victim's system.

The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Infected servers continue to run normally... for now.

Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results.

However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results. Once they kick this into gear and block the machines for ransom, this will be a bloodbath.

Because the initial entry point for this threat remains unclear, it's impossible to provide anything but generic security advice to server owners -- who are advised to use unique passwords for all their accounts and keep applications up to date with security patches. Full story and screenshots over at ZDNet: https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/#ftag=RSSbaffb68


RanSim

Free downloadable software tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

RanSim gives you a quick look at the effectiveness of your existing network protection. RanSim will test 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the installer and run it
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/ransim

Topics: Ransomware



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews