A new strain of ransomware has infected thousands of Linux web servers in the past two months, according to a news report.
ZDNet said this morning that the strain is dubbed Lilocked, which is the extension the malware puts on infected files.
Lilocked doesn’t encrypt system files, according to the news story, just a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. As a result, infected servers continue to run normally.
ZDNet reported that the French security researcher Benkow has calculated that Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, ZDnet noted the number of victims is suspected to be much much higher. Not all Linux systems run web servers, it points out, and there are many other infected systems that haven’t been indexed in Google search results.
Victims are asked to transfer 0.030 Bitcoin (worth roughly US$325) to a digital wallet.
At this early stage the way those behind Lilocked breaches servers and encrypts their content isn’t known. The news story says a thread on a Russian-speaking forum theorizes it might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.
Security experts have suggested that servers must be protected through strong passwords, multi-factor authentication and regular patching.
First reports of infections date to mid-July, says the news story, after some victims uploaded the Lilocked ransom note/demand on ID Ransomware, a website for identifying the name of the ransomware that infected a victim’s system.