New ransomware strain appears to target Linux web servers

A new strain of ransomware has infected thousands of Linux web servers in the past two months, according to a news report.

ZDNet said this morning that the strain is dubbed Lilocked, which is the extension the malware puts on infected files.

Lilocked doesn’t encrypt system files, according to the news story, just a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. As a result, infected servers continue to run normally.

ZDNet reported that the French security researcher Benkow has calculated that Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, ZDnet noted the number of victims is suspected to be much much higher. Not all Linux systems run web servers, it points out, and there are many other infected systems that haven’t been indexed in Google search results.

Victims are asked to transfer 0.030 Bitcoin (worth roughly US$325) to a digital wallet.

At this early stage the way those behind Lilocked breaches servers and encrypts their content isn’t known. The news story says a thread on a Russian-speaking forum theorizes it might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Security experts have suggested that servers must be protected through strong passwords, multi-factor authentication and regular patching.

First reports of infections date to mid-July, says the news story, after some victims uploaded the Lilocked ransom note/demand on ID Ransomware, a website for identifying the name of the ransomware that infected a victim’s system.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now