Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


New Lilu or Lilocked ransomware infected several web servers


A new ransomware strain named as Lilu or Lilocked has affected several web servers (i.e. in thousands) all around the world. This ransomware started infecting the servers back in July-mid of this year. But in recent times, the attacks become more frequent. Based on recent evidence, this Lilocked ransomware seems to target the Linux-based systems only.


The first incident of Lilocked ransomware that came to light was when a ransomware note has been uploaded by some victims on ID Ransomware, the website used to identify the ransomware name from ransomware note or the ransomware demand specified in attack.


This ransomware targeted the servers, and then gains its root access. The way by which Lilocked gang breached the servers and then encrypts their content is still unknown.


After a server was attacked, the files were encrypted with the ".lilocked" file extension. A copy of ransom note (named as #README.lilocked) can be found in the folders', wherever this ransomware encrypts files. The ransom note accompanied with encrypted files reads: "I've encrypted all your sensitive data!!! It's a strong encryption, so don't be naive to restore it;). You can buy a decryption key for a small amount of Bitcoins! You have 7 days to decrypt your files or your data will be permanently lost!!!".


Then the ransom note asks the affected user to click on a link. Once the link was clicked in the note, the users were redirected towards a portal on dark web, where they are instructed to enter the key from ransom note. As the key was entered by the affected user, the Lilocked gang then displays the ransom demand. The ransom demand asks the victim to deposit 0.03 bitcoin (i.e. around $325) in Electrum wallet, so as to decrypt their files.


Lilock ransomware does not encrypt the system files. It encrypt only files with extensions like HTML, JS, SHTML, CSS, INI, PHP, and various other image file formats. Since the system files were not affected, infected servers continues running normally. According to Benkow, the French security researcher, the Lilock ransomware has encrypted over 6,700 servers. Many of these servers have been indexed as well as cached in the Google search results.


» SPAMfighter News - 9/19/2019

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page