Linux servers infected with Lilocked ransomware.

In August and September 2019, researchers identified an increasing number of attacks on Linux servers. A new strain of ransomware has been identified and named Lilocked, or Lilu. Even though the attacks began in mid-July, more servers have been infected in the last two weeks.

The incident was brought to light when an affected user uploaded a ransomware note on ID Ransomware, a website used for identifying the name of ransomware that has encrypted the files in a system. The infected servers can be identified with the file extension of the encrypted files; in this case, .lilocked.

When the user attempts to access the folder, the ransom note below is displayed. 

On clicking the given link, the user is redirected to a website on the dark web where they have to enter the key provided.

After they enter the key, another ransom note is displayed that asks the user to deposit 0.03 Bitcoin (approximately $310) into the Electrum wallet in exchange for the decryption keys.

According to a thread on a Russian forum, the attackers might be targeting Linux-based servers that are running outdated Exim software. The virus does not affect the system files, but instead targets files with extensions including HTML, SHTML, JS, CSS, PHP, and INI. Since the means by which the attackers are carrying out the attacks still haven't been uncovered, users have been advised to reset passwords and apply patches wherever necessary.