There's a new strain of ransomware on the market, and it's already affected thousands of servers, encrypting the files on them. It's called Lilocked ransomware, also known as "Lilu."
Infections of Lilu have been happening since the middle of July, but have become more intense in the past few weeks. Based on the current evidence, Lilocked appears to be targeting Linux-based systems exclusively.
The first reports of Lilocked came in in mid-July after some victims uploaded the ransom note/demand on ID Ransomware, a website that helps users identify the ransomware that is affecting their system.
It's currently unknown how Lilocked actually breaches servers and encrypts the content on there. A thread from a Russian-speaking forum suggests the idea that crooks could be targeting systems that are running outdated Exim (email) software. The thread also mentioned that the ransomware was able to get root access to servers, but – once again – how it does this is currently unknown.
One thing that sets Lilocked apart is that servers infected with it continue running normally for a while. It doesn't actually encrypt system files but instead encrypts a small subset of file extensions, such as JS, HTML, PHP, and image file formats. That means that the servers continue running as usual because they still have access to system files. French security researcher Bekow is reporting that Liloked has managed to encrypt over 6,700 servers, many of which are now indexed and cached in Google search results.
The actual number of infected systems is said to be much higher than Bekow's estimates. Not every Linux system runs a web server, and there are lots of other infected systems that aren't indexed in Google search results. Once the ransomware really kicks in and holds the machines to ransom, it's too late.
Because the initial point of entry for the threat is still unclear, it's impossible to provide users with anything but generic security advice. As always, one of the best ways to mitigate the damage done by ransomware is to have regular system backups both in and out of the network. Server owners are also advised to have unique passwords for their accounts and keep their applications updated with the latest security patches.