LiLocked ransomware, also known as LiLu, is once again active in campaigns, this time affecting thousands of web servers. This is a new strain of the LiLocked ransomware which we wrote about in July this year.
LiLocked Ransomware Currently Targeting Linux-Based Systems
According to security researchers, the ransomware is currently targeting only Linux-based systems but the method of infection is still unknown. According to information spotted on a Russian forum, the ransomware operators could be targeting systems running outdated Exim software.
In fact, Exim vulnerabilities are often targeted by attackers, as evident by several recent cases. One such attack attempted to infect targeted Exim servers with the so-called Watchbog Linux Trojan. Infected hosts became part of a botnet which was mining for Monero cryptocurrency.
As for the current case, it is highly possible the ransomware manages to get root access to infected servers. Infected servers have their files encrypted, and have the .lilocked file extension. It is important to note that the ransomware does not encrypt system files. Instead, it encrypts HTML, SHTML, JS, CSS, PHP, INI files, as well as and several image file formats. This fact means that the compromised servers continue to run normally.
There may be more than 6,700 servers encrypted by LiLocked, according to security researcher known as Benkow on Twitter. The actual number of infected hosts is most likely much bigger.